Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 18:14
Static task
static1
Behavioral task
behavioral1
Sample
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
Resource
win10v2004-20221111-en
General
-
Target
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
-
Size
355KB
-
MD5
a4d0dbf9045deed9778135b5af1440c3
-
SHA1
008884082f6f52d379311ad9e9f50190b0923a6b
-
SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2
-
SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc
-
SSDEEP
6144:9cj+Ny5p0BGxJ1ryIF7AOrjONMd4c7SikPiCsBJV:m+Ny5p0BEf7hONs2h6BJ
Malware Config
Extracted
redline
adel
62.233.51.177:14107
-
auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exedescription pid process target process PID 5112 set thread context of 1896 5112 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 5112 WerFault.exe c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exedescription pid process target process PID 5112 wrote to memory of 1896 5112 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe PID 5112 wrote to memory of 1896 5112 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe PID 5112 wrote to memory of 1896 5112 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe PID 5112 wrote to memory of 1896 5112 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe PID 5112 wrote to memory of 1896 5112 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"C:\Users\Admin\AppData\Local\Temp\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5112 -ip 51121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1896-132-0x0000000000000000-mapping.dmp
-
memory/1896-133-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1896-138-0x0000000005720000-0x0000000005D38000-memory.dmpFilesize
6.1MB
-
memory/1896-139-0x00000000052A0000-0x00000000053AA000-memory.dmpFilesize
1.0MB
-
memory/1896-140-0x00000000051D0000-0x00000000051E2000-memory.dmpFilesize
72KB
-
memory/1896-141-0x0000000005230000-0x000000000526C000-memory.dmpFilesize
240KB