redline | 5a37399feb2eebccfcb6268fcf8ed8bc1e3243ec0797daa5a6d8a4cdc993129f

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/06/2023, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

430KB
MD5

38590b49503ebe86502c9418f11e7458
SHA1

9014f82d54690aaa6e0a8d602933ec6b79ce2a91
SHA256

5a37399feb2eebccfcb6268fcf8ed8bc1e3243ec0797daa5a6d8a4cdc993129f
SHA512

5d9a99832f4b56a94514c2c814e0d9fd4c82cd39782d0c2ac6d83b476227091bdbdd27a4d45568cc5e2ee7f5763cf6a4030d0cbfed4c52cf635dacae64468dc7
SSDEEP

6144:2prkauGpxdr+Q/BsWkrjr6dCJ77cIniSSSPauIvt9gINkSVvVERuAXJunb6:2pIuh+YBnEXTdPauUgINzFVERuAXb

Score

10^/10

redline instals infostealer

Malware Config

Extracted

Family

redline

Botnet

Instals

89.23.97.107:8086

Attributes

auth_value
8a82a3c9eb67dfb581f57e3f2c7aefe6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 576	1292	file.exe	35

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1264	576	WerFault.exe	35

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1292	file.exe
1292	file.exe
1292	file.exe
1292	file.exe
1292	file.exe
1292	file.exe
1292	file.exe
1292	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	file.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1988	1292	file.exe	27
PID 1292 wrote to memory of 1988	1292	file.exe	27
PID 1292 wrote to memory of 1988	1292	file.exe	27
PID 1292 wrote to memory of 1724	1292	file.exe	28
PID 1292 wrote to memory of 1724	1292	file.exe	28
PID 1292 wrote to memory of 1724	1292	file.exe	28
PID 1292 wrote to memory of 776	1292	file.exe	29
PID 1292 wrote to memory of 776	1292	file.exe	29
PID 1292 wrote to memory of 776	1292	file.exe	29
PID 1292 wrote to memory of 436	1292	file.exe	30
PID 1292 wrote to memory of 436	1292	file.exe	30
PID 1292 wrote to memory of 436	1292	file.exe	30
PID 1292 wrote to memory of 436	1292	file.exe	30
PID 1292 wrote to memory of 676	1292	file.exe	31
PID 1292 wrote to memory of 676	1292	file.exe	31
PID 1292 wrote to memory of 676	1292	file.exe	31
PID 1292 wrote to memory of 1928	1292	file.exe	32
PID 1292 wrote to memory of 1928	1292	file.exe	32
PID 1292 wrote to memory of 1928	1292	file.exe	32
PID 1292 wrote to memory of 1348	1292	file.exe	33
PID 1292 wrote to memory of 1348	1292	file.exe	33
PID 1292 wrote to memory of 1348	1292	file.exe	33
PID 1292 wrote to memory of 524	1292	file.exe	34
PID 1292 wrote to memory of 524	1292	file.exe	34
PID 1292 wrote to memory of 524	1292	file.exe	34
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 1292 wrote to memory of 576	1292	file.exe	35
PID 576 wrote to memory of 1264	576	SetupUtility.exe	36
PID 576 wrote to memory of 1264	576	SetupUtility.exe	36
PID 576 wrote to memory of 1264	576	SetupUtility.exe	36
PID 576 wrote to memory of 1264	576	SetupUtility.exe	36

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 168
    3⤵
    - Program crash
    PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1292-54-0x0000000000BC0000-0x0000000000C30000-memory.dmp

Filesize
448KB

Download
memory/1292-55-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download