redline | 6b11e77eee3f401356c240303da1b819ec0b12fb82bfb6ac5f3a1b08a00f3d49

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe
Size

7.3MB
MD5

7278b6ce3ddda7dba2473e0392e54ea6
SHA1

3b406f221237fe9bfce48daa9033eda93ecc9b94
SHA256

6b11e77eee3f401356c240303da1b819ec0b12fb82bfb6ac5f3a1b08a00f3d49
SHA512

02a8d04d327757e3d9df6de2d14b5e2143e01798bf25a51e32555afeac494ae64f66fd5493a9ce28ce850be48c6febe264c61330e67391c694fd910a99247f72
SSDEEP

196608:+dgX4LVznF3zQgkIRflnOzSc4pGRo9Jvy:3UzdzqIRtnYSi6zvy

Score

10^/10

redline metafile infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

metafile

91.103.252.39:7899

Attributes

auth_value
9ac6dc6d653e5268fd38b21a0ec2b458

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4984	vbc.exe
4984	vbc.exe
4984	vbc.exe
4984	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82
PID 2668 wrote to memory of 4984	2668	6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe	82

C:\Users\Admin\AppData\Local\Temp\6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe
"C:\Users\Admin\AppData\Local\Temp\6b11e77eee3f401356c240303da1b819ec0b12fb82bfb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-5-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/2668-1-0x0000000000C00000-0x000000000135E000-memory.dmp

Filesize
7.4MB

Download
memory/2668-2-0x0000000005E00000-0x0000000005E10000-memory.dmp

Filesize
64KB

Download
memory/2668-0-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-11-0x0000000005290000-0x00000000052CC000-memory.dmp

Filesize
240KB

Download
memory/4984-14-0x0000000006AC0000-0x0000000007064000-memory.dmp

Filesize
5.6MB

Download
memory/4984-7-0x0000000005A00000-0x0000000006018000-memory.dmp

Filesize
6.1MB

Download
memory/4984-8-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/4984-9-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4984-10-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/4984-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4984-12-0x00000000056B0000-0x0000000005726000-memory.dmp

Filesize
472KB

Download
memory/4984-13-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4984-6-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-15-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/4984-16-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/4984-17-0x00000000059A0000-0x00000000059F0000-memory.dmp

Filesize
320KB

Download
memory/4984-18-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/4984-19-0x0000000007240000-0x0000000007402000-memory.dmp

Filesize
1.8MB

Download
memory/4984-20-0x0000000007C90000-0x00000000081BC000-memory.dmp

Filesize
5.2MB

Download
memory/4984-22-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download