Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 22:50
Static task
static1
Behavioral task
behavioral1
Sample
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe
Resource
win10v2004-20221111-en
General
-
Target
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe
-
Size
386KB
-
MD5
cf15fbdc9ee423a036182972c85601ad
-
SHA1
8fda4b5d42ed10c6d1c7021e70498233b33713f0
-
SHA256
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f
-
SHA512
ee35d6d68eae7ff6952a9a3c251e0011eda51dabf2d298475a3e276e962f8f084868c8d4b9d505f02b6f18f5b3424792d3e104a5d3b1e88d69bdf7804de7f4e1
-
SSDEEP
12288:+RRMyUvkLk2zVcOjZh1rskSnQ4DJW0Wrf0S+n9dDuu788Xzwlrz2lB4ung2oonKo:+RWvr8B1skSnQ4DJW0Wrf0S+n9dDuu7D
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exedescription pid process target process PID 5056 set thread context of 4788 5056 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3460 5056 WerFault.exe 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4788 vbc.exe 4788 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4788 vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exedescription pid process target process PID 5056 wrote to memory of 4788 5056 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe vbc.exe PID 5056 wrote to memory of 4788 5056 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe vbc.exe PID 5056 wrote to memory of 4788 5056 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe vbc.exe PID 5056 wrote to memory of 4788 5056 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe vbc.exe PID 5056 wrote to memory of 4788 5056 3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe"C:\Users\Admin\AppData\Local\Temp\3121319197d74f5566275fed514d2fcc301bba22c7c687946401c9feaed2667f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5056 -ip 50561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4788-133-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4788-132-0x0000000000000000-mapping.dmp
-
memory/4788-138-0x00000000059C0000-0x0000000005FD8000-memory.dmpFilesize
6.1MB
-
memory/4788-139-0x0000000005530000-0x000000000563A000-memory.dmpFilesize
1.0MB
-
memory/4788-140-0x0000000005460000-0x0000000005472000-memory.dmpFilesize
72KB
-
memory/4788-141-0x00000000054D0000-0x000000000550C000-memory.dmpFilesize
240KB
-
memory/4788-142-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/4788-143-0x0000000006890000-0x0000000006E34000-memory.dmpFilesize
5.6MB
-
memory/4788-144-0x00000000063C0000-0x0000000006452000-memory.dmpFilesize
584KB
-
memory/4788-145-0x00000000078F0000-0x0000000007966000-memory.dmpFilesize
472KB
-
memory/4788-146-0x0000000006840000-0x0000000006890000-memory.dmpFilesize
320KB
-
memory/4788-147-0x0000000007150000-0x0000000007312000-memory.dmpFilesize
1.8MB
-
memory/4788-148-0x0000000007EA0000-0x00000000083CC000-memory.dmpFilesize
5.2MB