redline | 0fc6f52cae946a367dca16728eab871b1610fc044c2bc3d5ab640a71e49e50a1

Analysis

max time kernel
139s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee88a284fb166e55f13a75ea3096d22c.exe
Size

1.3MB
MD5

ee88a284fb166e55f13a75ea3096d22c
SHA1

8d1ca81068a1286f89ce4bc23a4ce3d3e5bf64e4
SHA256

0fc6f52cae946a367dca16728eab871b1610fc044c2bc3d5ab640a71e49e50a1
SHA512

aadde4249c9ee5db44abc503dcc58e06ab305951b2ee37c432f1013cfed67e8734eb7dc833cf920784f79a7e599125ee8a10ba95cbe769779bea562799080dc7
SSDEEP

24576:qg9yLp0HmYObBpsiWo/8M8zmssIpcbiLq96:FJHmYOb0gPWg

Score

10^/10

redline legendaryinstalls_20230918 infostealer

Malware Config

Extracted

Family

redline

Botnet

LegendaryInstalls_20230918

62.72.23.19:80

Attributes

auth_value
7e2e28855818d91285389c56372566f4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28
PID 1960 wrote to memory of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28
PID 1960 wrote to memory of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28
PID 1960 wrote to memory of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28
PID 1960 wrote to memory of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28
PID 1960 wrote to memory of 1164	1960	ee88a284fb166e55f13a75ea3096d22c.exe	28

C:\Users\Admin\AppData\Local\Temp\ee88a284fb166e55f13a75ea3096d22c.exe
"C:\Users\Admin\AppData\Local\Temp\ee88a284fb166e55f13a75ea3096d22c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1164-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1164-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1164-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1164-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1164-12-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1164-13-0x00000000003A0000-0x00000000003A6000-memory.dmp

Filesize
24KB

Download
memory/1164-14-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1164-15-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1164-16-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1960-1-0x0000000000920000-0x0000000000AC8000-memory.dmp

Filesize
1.7MB

Download
memory/1960-10-0x0000000000920000-0x0000000000AC8000-memory.dmp

Filesize
1.7MB

Download
memory/1960-0-0x0000000000920000-0x0000000000AC8000-memory.dmp

Filesize
1.7MB

Download