Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2023 17:17
Static task
static1
Behavioral task
behavioral1
Sample
Camtasia.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Camtasia.exe
Resource
win10v2004-20230220-en
General
-
Target
Camtasia.exe
-
Size
701.0MB
-
MD5
3edabce0833a1fe15dcf374c29ad293e
-
SHA1
68aec7add651fcb8597a0b5e5943b9bc460e4875
-
SHA256
bc0c6f3edcce5f2b15ce4c6f1dbb391c8379693ddf7532462f33857eb6f0ffbd
-
SHA512
1f34ff99afd072fea608cc52887f1d11726bf02c043d76cee24403a6f4bfa18e9ef7bbe916a31dae5600a5e9fa0785bd48836788306f4211dd24096b9e2a58db
-
SSDEEP
3072:q1/3moQkgU0CwlvwReBFpkVLSYrVEWYw+QeTOUD69qjiwcI/s2o7Pn9SgOStEWLU:yWxNv+eyOq+JTDaq2Jf2mnAgNfSVLD
Malware Config
Extracted
redline
yt
65.109.139.121:28859
-
auth_value
c85b149d6d3359b3fe4dd1dfcc5864e8
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Camtasia.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation Camtasia.exe -
Executes dropped EXE 1 IoCs
Processes:
TrashExe (1).exepid process 5012 TrashExe (1).exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Camtasia.exedescription pid process target process PID 2152 set thread context of 4580 2152 Camtasia.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 4580 vbc.exe 4580 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4580 vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Camtasia.exedescription pid process target process PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 4580 2152 Camtasia.exe vbc.exe PID 2152 wrote to memory of 5012 2152 Camtasia.exe TrashExe (1).exe PID 2152 wrote to memory of 5012 2152 Camtasia.exe TrashExe (1).exe PID 2152 wrote to memory of 5012 2152 Camtasia.exe TrashExe (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Camtasia.exe"C:\Users\Admin\AppData\Local\Temp\Camtasia.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe"C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exeFilesize
3KB
MD543c14a07b0a83cb0ade9f7da7b0ca394
SHA179d457fc5c171c3677c50d19e7df3baf5f1311a8
SHA2563069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36
SHA5129bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c
-
C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exeFilesize
3KB
MD543c14a07b0a83cb0ade9f7da7b0ca394
SHA179d457fc5c171c3677c50d19e7df3baf5f1311a8
SHA2563069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36
SHA5129bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c
-
C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exeFilesize
3KB
MD543c14a07b0a83cb0ade9f7da7b0ca394
SHA179d457fc5c171c3677c50d19e7df3baf5f1311a8
SHA2563069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36
SHA5129bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c
-
memory/2152-134-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/2152-154-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/2152-133-0x00000000007C0000-0x0000000000802000-memory.dmpFilesize
264KB
-
memory/4580-139-0x0000000005090000-0x00000000050A2000-memory.dmpFilesize
72KB
-
memory/4580-155-0x0000000005430000-0x00000000054C2000-memory.dmpFilesize
584KB
-
memory/4580-148-0x0000000005100000-0x0000000005110000-memory.dmpFilesize
64KB
-
memory/4580-138-0x0000000005160000-0x000000000526A000-memory.dmpFilesize
1.0MB
-
memory/4580-137-0x0000000005600000-0x0000000005C18000-memory.dmpFilesize
6.1MB
-
memory/4580-161-0x0000000006A10000-0x0000000006A86000-memory.dmpFilesize
472KB
-
memory/4580-135-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/4580-147-0x0000000005110000-0x000000000514C000-memory.dmpFilesize
240KB
-
memory/4580-156-0x00000000061D0000-0x0000000006774000-memory.dmpFilesize
5.6MB
-
memory/4580-157-0x0000000005540000-0x00000000055A6000-memory.dmpFilesize
408KB
-
memory/4580-158-0x0000000005100000-0x0000000005110000-memory.dmpFilesize
64KB
-
memory/4580-159-0x0000000006B50000-0x0000000006D12000-memory.dmpFilesize
1.8MB
-
memory/4580-160-0x0000000007250000-0x000000000777C000-memory.dmpFilesize
5.2MB
-
memory/4580-162-0x0000000006A90000-0x0000000006AE0000-memory.dmpFilesize
320KB
-
memory/5012-152-0x0000000000A80000-0x0000000000A88000-memory.dmpFilesize
32KB