redline | c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2023 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
Size

355KB
MD5

a4d0dbf9045deed9778135b5af1440c3
SHA1

008884082f6f52d379311ad9e9f50190b0923a6b
SHA256

c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2
SHA512

1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc
SSDEEP

6144:9cj+Ny5p0BGxJ1ryIF7AOrjONMd4c7SikPiCsBJV:m+Ny5p0BEf7hONs2h6BJ

Score

10^/10

redline adel infostealer

Malware Config

Extracted

Family

redline

Botnet

adel

62.233.51.177:14107

Attributes

auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

description	pid	process	target process
PID 5112 set thread context of 1896	5112	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 5112 WerFault.exe c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

pid	pid_target	process	target process
1100	5112	WerFault.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

description	pid	process	target process
PID 5112 wrote to memory of 1896	5112	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 5112 wrote to memory of 1896	5112	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 5112 wrote to memory of 1896	5112	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 5112 wrote to memory of 1896	5112	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 5112 wrote to memory of 1896	5112	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
"C:\Users\Admin\AppData\Local\Temp\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 240
2⤵
- Program crash
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5112 -ip 5112
1⤵
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-132-0x0000000000000000-mapping.dmp

Download
memory/1896-133-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1896-138-0x0000000005720000-0x0000000005D38000-memory.dmp

Filesize
6.1MB

Download
memory/1896-139-0x00000000052A0000-0x00000000053AA000-memory.dmp

Filesize
1.0MB

Download
memory/1896-140-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/1896-141-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download