redline | c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038

Analysis

max time kernel
136s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
Size

2.3MB
MD5

f28730f469220391b679e575a48ddb0b
SHA1

d5863273efdb0e7e61007c4907441ce957e4f98a
SHA256

c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038
SHA512

667ed7bf96fa21b992889c02d95e2076e8417a7617b7767049a2c87ed668e1c189ecfc3c302d30b7a202d9abb93d8320a532ba018ff382bcb98cc96e53fe1327
SSDEEP

49152:VakDcq59geuk/NJW1BN0gQcI3EahBrZPTaZzn0WI78:09q5taPygQcI3EahBrNY/r

Score

10^/10

redline 1 infostealer

Malware Config

Extracted

Family

redline

Botnet

45.88.3.253:26313

Attributes

auth_value
7280f9eb4f47693041f9f7d1fafe3acf

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe

description	pid	process	target process
PID 648 set thread context of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe

description	pid	process
Token: SeDebugPrivilege	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
Token: 33	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
Token: SeIncBasePriorityPrivilege	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe

description	pid	process	target process
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe
PID 648 wrote to memory of 2880	648	c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c0de3820d44c7aebc56f12be217cab5c5b758344750e73e1288f42e0f373f038exe_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-133-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/648-134-0x0000000000900000-0x0000000000B50000-memory.dmp

Filesize
2.3MB

Download
memory/648-135-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/648-136-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/648-137-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/648-146-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2880-140-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2880-141-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2880-142-0x0000000006070000-0x0000000006688000-memory.dmp

Filesize
6.1MB

Download
memory/2880-143-0x0000000006690000-0x000000000679A000-memory.dmp

Filesize
1.0MB

Download
memory/2880-144-0x0000000005E80000-0x0000000005E92000-memory.dmp

Filesize
72KB

Download
memory/2880-145-0x0000000005EE0000-0x0000000005F1C000-memory.dmp

Filesize
240KB

Download
memory/2880-139-0x00000000009A0000-0x00000000009CC000-memory.dmp

Filesize
176KB

Download
memory/2880-147-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2880-148-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download