redline | f2a55c47f500efa4bb1b41487cf512c38b0f7438ed955656cceb51a2c11c2d6a

Analysis

max time kernel
141s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/03/2023, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pureland.exe
Size

700.6MB
MD5

68640753e6d7039bc457b03a5b57fd39
SHA1

cfb3951c0d484c3e52054104979e7c024b178f87
SHA256

7ce78fb87ca8d2691f753907b64147f0de94b236b0e0fbaccf40f2ecbe15cb23
SHA512

1e5cdfe988b92cf90ac2f7aa1449dd830377023522feb3e2129bda2a73c2ac588408e24ade5a5301bc26b68bd20bdecaae5927fd097e12d686e2809d1d94158e
SSDEEP

12288:F6P7l6yr6BCInd92qFfZ0ElbvCJSPypmECG0H6aXYGkA:wIyr8CHElbvCJS6pmECGzaXYGV

Score

10^/10

redline 5hr infostealer

Malware Config

Extracted

Family

redline

Botnet

5hr

167.235.233.35:16621

Attributes

auth_value
b321fb9762768a15049957e99160b383

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 2024	1204	pureland.exe	28

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28
PID 1204 wrote to memory of 2024	1204	pureland.exe	28

C:\Users\Admin\AppData\Local\Temp\pureland.exe
"C:\Users\Admin\AppData\Local\Temp\pureland.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-54-0x0000000000A70000-0x0000000000B16000-memory.dmp

Filesize
664KB

Download
memory/1204-55-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/1204-72-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2024-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2024-58-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-59-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-57-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-62-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-63-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-67-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-70-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-71-0x0000000000660000-0x00000000006A0000-memory.dmp

Filesize
256KB

Download
memory/2024-56-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/2024-73-0x0000000000660000-0x00000000006A0000-memory.dmp

Filesize
256KB

Download