redline | 4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873

Analysis

max time kernel
142s
max time network
154s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-01-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

infected/RobloxSynapceX Cracked.exe
Size

521KB
MD5

0afb47c295e5bc185b8272dc5a8967b6
SHA1

5cedced75b7fc0a2f3457e9ff4e0c98b171b9ccb
SHA256

0a7431f4637b27f103a4fb6d8cca52248cb4c7a77c8dd5500ca351c45c355320
SHA512

03f49b5f06ebfb4ee42b1e82ad36515a34823904b9d7b3c28e99d9345b2052ea689552e8b9c39b4ca47efa5dbf60ab98cf325397e4be68c759777d7cdd7823dc
SSDEEP

12288:O8DF2BeDFTYaOCaDecRe6kFfo13yzbVMyVS:O8DF2wDFTYaCY6kXz1VS

Score

10^/10

redline infostealer spyware

Malware Config

Extracted

Family

redline

82.115.223.46:57672

Attributes

auth_value
422677a3af554849aa4fba45f91db2d0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

RobloxSynapceX Cracked.exe

description pid process target process

PID 568 set thread context of 520 568 RobloxSynapceX Cracked.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1448 568 WerFault.exe RobloxSynapceX Cracked.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

520 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 520 vbc.exe

description	pid	process	target process
PID 568 set thread context of 520	568	RobloxSynapceX Cracked.exe	vbc.exe

pid	pid_target	process	target process
1448	568	WerFault.exe	RobloxSynapceX Cracked.exe

pid	process
520	vbc.exe

description	pid	process
Token: SeDebugPrivilege	520	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RobloxSynapceX Cracked.exe

description	pid	process	target process
PID 568 wrote to memory of 520	568	RobloxSynapceX Cracked.exe	vbc.exe
PID 568 wrote to memory of 520	568	RobloxSynapceX Cracked.exe	vbc.exe
PID 568 wrote to memory of 520	568	RobloxSynapceX Cracked.exe	vbc.exe
PID 568 wrote to memory of 520	568	RobloxSynapceX Cracked.exe	vbc.exe
PID 568 wrote to memory of 520	568	RobloxSynapceX Cracked.exe	vbc.exe
PID 568 wrote to memory of 520	568	RobloxSynapceX Cracked.exe	vbc.exe
PID 568 wrote to memory of 1448	568	RobloxSynapceX Cracked.exe	WerFault.exe
PID 568 wrote to memory of 1448	568	RobloxSynapceX Cracked.exe	WerFault.exe
PID 568 wrote to memory of 1448	568	RobloxSynapceX Cracked.exe	WerFault.exe
PID 568 wrote to memory of 1448	568	RobloxSynapceX Cracked.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 36
2⤵
- Program crash
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/520-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/520-61-0x000000000041BCAE-mapping.dmp

Download
memory/520-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/520-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/520-66-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/568-62-0x0000000000370000-0x00000000003F7000-memory.dmp

Filesize
540KB

Download
memory/1448-65-0x0000000000000000-mapping.dmp

Download