Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 10:21

General

  • Target

    c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe

  • Size

    277KB

  • MD5

    75f4207637e56307389dfa82b3463690

  • SHA1

    d7d51072a59f78314e90327a9f5f74004ae8b2a7

  • SHA256

    c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b

  • SHA512

    1a634a4c84a6dd8304b15ad7e7e5010e347c21f9e9f23529f6f4945b00727df6084b1d7917977e1f4fed51b8fd3dc10f5dfa1627c756152a5c9c86089fe82b52

  • SSDEEP

    3072:QLjOjXj0I/hH3RvM+4UU5i7SVx/n8p+izFgTWx+PsxO:QLSjXj0I/4nFzP8p+H

Malware Config

Extracted

Family

redline

Botnet

@2023

C2

79.137.192.28:20723

Attributes
  • auth_value

    93b4b7d0dc8e9415e261a402587c6710

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • Redline family
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe
    "C:\Users\Admin\AppData\Local\Temp\c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 36
      2⤵
      • Program crash
      PID:2408

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2368-8-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2368-9-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2368-1-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2368-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

        • memory/2368-2-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

        • memory/2368-10-0x00000000740DE000-0x00000000740DF000-memory.dmp

          Filesize

          4KB

        • memory/2368-11-0x00000000740D0000-0x00000000747BE000-memory.dmp

          Filesize

          6.9MB

        • memory/2368-12-0x00000000740DE000-0x00000000740DF000-memory.dmp

          Filesize

          4KB

        • memory/2368-14-0x00000000740D0000-0x00000000747BE000-memory.dmp

          Filesize

          6.9MB

        • memory/2556-0-0x000000000091A000-0x000000000091B000-memory.dmp

          Filesize

          4KB

        • memory/2556-13-0x0000000000910000-0x0000000000954000-memory.dmp

          Filesize

          272KB