Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe
Resource
win10v2004-20241007-en
General
-
Target
c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe
-
Size
277KB
-
MD5
75f4207637e56307389dfa82b3463690
-
SHA1
d7d51072a59f78314e90327a9f5f74004ae8b2a7
-
SHA256
c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b
-
SHA512
1a634a4c84a6dd8304b15ad7e7e5010e347c21f9e9f23529f6f4945b00727df6084b1d7917977e1f4fed51b8fd3dc10f5dfa1627c756152a5c9c86089fe82b52
-
SSDEEP
3072:QLjOjXj0I/hH3RvM+4UU5i7SVx/n8p+izFgTWx+PsxO:QLSjXj0I/4nFzP8p+H
Malware Config
Extracted
redline
@2023
79.137.192.28:20723
-
auth_value
93b4b7d0dc8e9415e261a402587c6710
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/memory/3740-1-0x0000000000400000-0x0000000000432000-memory.dmp family_redline behavioral2/memory/2376-13-0x0000000000A80000-0x0000000000AC4000-memory.dmp family_redline -
Redline family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2376 set thread context of 3740 2376 c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe 87 -
Program crash 1 IoCs
pid pid_target Process procid_target 4748 2376 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3740 2376 c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe 87 PID 2376 wrote to memory of 3740 2376 c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe 87 PID 2376 wrote to memory of 3740 2376 c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe 87 PID 2376 wrote to memory of 3740 2376 c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe 87 PID 2376 wrote to memory of 3740 2376 c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe"C:\Users\Admin\AppData\Local\Temp\c20188aeac3782469ac75c40911e5bae45d36f2208e286b51a5f6f5e878e371b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 4202⤵
- Program crash
PID:4748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2376 -ip 23761⤵PID:4700