Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2023 14:35
Static task
static1
Behavioral task
behavioral1
Sample
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
-
Size
2.3MB
-
MD5
f28730f469220391b679e575a48ddb0b
-
SHA1
d5863273efdb0e7e61007c4907441ce957e4f98a
-
SHA256
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038
-
SHA512
667ed7bf96fa21b992889c02d95e2076e8417a7617b7767049a2c87ed668e1c189ecfc3c302d30b7a202d9abb93d8320a532ba018ff382bcb98cc96e53fe1327
-
SSDEEP
49152:VakDcq59geuk/NJW1BN0gQcI3EahBrZPTaZzn0WI78:09q5taPygQcI3EahBrNY/r
Malware Config
Extracted
redline
1
45.88.3.253:26313
-
auth_value
7280f9eb4f47693041f9f7d1fafe3acf
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exedescription pid process target process PID 648 set thread context of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exedescription pid process Token: SeDebugPrivilege 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe Token: 33 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe Token: SeIncBasePriorityPrivilege 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exedescription pid process target process PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe PID 648 wrote to memory of 2880 648 c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-133-0x00000000746C0000-0x0000000074E70000-memory.dmpFilesize
7.7MB
-
memory/648-134-0x0000000000900000-0x0000000000B50000-memory.dmpFilesize
2.3MB
-
memory/648-135-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/648-136-0x0000000005570000-0x0000000005602000-memory.dmpFilesize
584KB
-
memory/648-137-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/648-146-0x00000000746C0000-0x0000000074E70000-memory.dmpFilesize
7.7MB
-
memory/2880-140-0x00000000746C0000-0x0000000074E70000-memory.dmpFilesize
7.7MB
-
memory/2880-141-0x0000000004F30000-0x0000000004F40000-memory.dmpFilesize
64KB
-
memory/2880-142-0x0000000006070000-0x0000000006688000-memory.dmpFilesize
6.1MB
-
memory/2880-143-0x0000000006690000-0x000000000679A000-memory.dmpFilesize
1.0MB
-
memory/2880-144-0x0000000005E80000-0x0000000005E92000-memory.dmpFilesize
72KB
-
memory/2880-145-0x0000000005EE0000-0x0000000005F1C000-memory.dmpFilesize
240KB
-
memory/2880-139-0x00000000009A0000-0x00000000009CC000-memory.dmpFilesize
176KB
-
memory/2880-147-0x00000000746C0000-0x0000000074E70000-memory.dmpFilesize
7.7MB
-
memory/2880-148-0x0000000004F30000-0x0000000004F40000-memory.dmpFilesize
64KB