Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2023 22:50

General

  • Target

    3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe

  • Size

    386KB

  • MD5

    cf15fbdc9ee423a036182972c85601ad

  • SHA1

    8fda4b5d42ed10c6d1c7021e70498233b33713f0

  • SHA256

    3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f

  • SHA512

    ee35d6d68eae7ff6952a9a3c251e0011eda51dabf2d298475a3e276e962f8f084868c8d4b9d505f02b6f18f5b3424792d3e104a5d3b1e88d69bdf7804de7f4e1

  • SSDEEP

    12288:+RRMyUvkLk2zVcOjZh1rskSnQ4DJW0Wrf0S+n9dDuu788Xzwlrz2lB4ung2oonKo:+RWvr8B1skSnQ4DJW0Wrf0S+n9dDuu7D

Malware Config

Extracted

Family

redline

Botnet

11

C2

79.137.202.18:45218

Attributes
  • auth_value

    107e09eee63158d2488feb03dac75204

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe
    "C:\Users\Admin\AppData\Local\Temp\3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 516
      2⤵
      • Program crash
      PID:3460
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5056 -ip 5056
    1⤵
      PID:4844

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Credentials in Files

    1
    T1081

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4788-133-0x0000000000400000-0x0000000000432000-memory.dmp
      Filesize

      200KB

    • memory/4788-132-0x0000000000000000-mapping.dmp
    • memory/4788-138-0x00000000059C0000-0x0000000005FD8000-memory.dmp
      Filesize

      6.1MB

    • memory/4788-139-0x0000000005530000-0x000000000563A000-memory.dmp
      Filesize

      1.0MB

    • memory/4788-140-0x0000000005460000-0x0000000005472000-memory.dmp
      Filesize

      72KB

    • memory/4788-141-0x00000000054D0000-0x000000000550C000-memory.dmp
      Filesize

      240KB

    • memory/4788-142-0x00000000057D0000-0x0000000005836000-memory.dmp
      Filesize

      408KB

    • memory/4788-143-0x0000000006890000-0x0000000006E34000-memory.dmp
      Filesize

      5.6MB

    • memory/4788-144-0x00000000063C0000-0x0000000006452000-memory.dmp
      Filesize

      584KB

    • memory/4788-145-0x00000000078F0000-0x0000000007966000-memory.dmp
      Filesize

      472KB

    • memory/4788-146-0x0000000006840000-0x0000000006890000-memory.dmp
      Filesize

      320KB

    • memory/4788-147-0x0000000007150000-0x0000000007312000-memory.dmp
      Filesize

      1.8MB

    • memory/4788-148-0x0000000007EA0000-0x00000000083CC000-memory.dmp
      Filesize

      5.2MB