redline | 267611a017bb24a4c7b3231f4c5bd2688265fe0c59a30d3ce463a84cd8d7b76a

Analysis

max time kernel
25s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/04/2023, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Miner Tool v1.4.0.exe
Size

746.7MB
MD5

1507da8516ea70c6b83d8c351dcf2478
SHA1

4d976fb0bb770fe9789e2c4275e0d8dddee8333a
SHA256

fa8f526f6498f0ecfd179876064cd7b19a66cf39cf07eb994e2aa95ed505bc0e
SHA512

80a73ee8950d7046ccdd4fb06332f97ba470fa6a7466b04f56680a401588dd8cea57c4da2d759db1c12b57a01c3995a824ff3fe332435fbd558e07fe3dc6ec4f
SSDEEP

49152:WOZM2g29VOD1yQpHfzivSp5vrMtyqvFhbqo4uHBlBcl:PLa1JpzivevrMty8bqozB

Score

10^/10

redline 25.03 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

25.03

37.220.87.78:25387

Attributes

auth_value
5cfc89aee6c1fd926c66b4cb6c07caa2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 864	1576	Miner Tool v1.4.0.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
864	vbc.exe
864	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	864	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29
PID 1576 wrote to memory of 864	1576	Miner Tool v1.4.0.exe	29

C:\Users\Admin\AppData\Local\Temp\Miner Tool v1.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\Miner Tool v1.4.0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-55-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-56-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-57-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-58-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-59-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/864-61-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-63-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-65-0x0000000000080000-0x00000000000C6000-memory.dmp

Filesize
280KB

Download
memory/864-66-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1576-54-0x0000000140000000-0x000000014026D000-memory.dmp

Filesize
2.4MB

Download