redline | 45d0efaba2caf518e649d387606d1ebe479cb8f9fe3baf7259f2905a6c9a6b96

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gnilcr.exe
Size

173KB
MD5

98e4b1b5b793b2ece39ac08b5b175968
SHA1

cb95d3e37bf7890dbaa0d59a0ac1afdff3814e33
SHA256

45d0efaba2caf518e649d387606d1ebe479cb8f9fe3baf7259f2905a6c9a6b96
SHA512

619f262a7c83c0e73279c814a1f49f84d55f5f0bb0d514c504f200b4b227c50868858e1d7eed2f17885077bb0db4e237e92696e1b3d6451b91309ef4b4f90756
SSDEEP

3072:1b1Memvvf8fdrBOFZ9hTLfN1g0CnHYPlk3UBjuU3/MCANWFHn36CS/:3Memvvf8iFZHHfNCHYP885ANWFQ

Score

10^/10

redline infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/1264-58-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1264-59-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1264-61-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1264-62-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1264-66-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1264-69-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1264-70-0x0000000004770000-0x00000000047B0000-memory.dmp	family_redline

Detects RedLine infostealer 7 IoCs

resource	yara_rule
behavioral1/memory/1264-58-0x0000000000080000-0x00000000000A8000-memory.dmp	MALWARE_Win_RedLine
behavioral1/memory/1264-59-0x0000000000080000-0x00000000000A8000-memory.dmp	MALWARE_Win_RedLine
behavioral1/memory/1264-61-0x0000000000080000-0x00000000000A8000-memory.dmp	MALWARE_Win_RedLine
behavioral1/memory/1264-62-0x0000000000080000-0x00000000000A8000-memory.dmp	MALWARE_Win_RedLine
behavioral1/memory/1264-66-0x0000000000080000-0x00000000000A8000-memory.dmp	MALWARE_Win_RedLine
behavioral1/memory/1264-69-0x0000000000080000-0x00000000000A8000-memory.dmp	MALWARE_Win_RedLine
behavioral1/memory/1264-70-0x0000000004770000-0x00000000047B0000-memory.dmp	MALWARE_Win_RedLine

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1264	1764	gnilcr.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1264	vbc.exe
1264	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28
PID 1764 wrote to memory of 1264	1764	gnilcr.exe	28

C:\Users\Admin\AppData\Local\Temp\gnilcr.exe
"C:\Users\Admin\AppData\Local\Temp\gnilcr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-56-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-57-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-58-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-59-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1264-61-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-62-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-66-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-69-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1264-70-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/1764-54-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/1764-55-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download