Analysis
-
max time kernel
132s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:04
Static task
static1
Behavioral task
behavioral1
Sample
f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe
Resource
win10v2004-20241007-en
General
-
Target
f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe
-
Size
2.4MB
-
MD5
850fc518f4c1456ea9242d298c913e8a
-
SHA1
a361a6b2bd593b3dab3dd49a832d06fb96d40b7a
-
SHA256
f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679
-
SHA512
b6831039411ff3cbbd1490935735e3a5e2d9ba5dc2180913b0edba1a33eb70158aefc9619de5411615655a25120449119b627b8be1101ffc02f7eb7c491f06ab
-
SSDEEP
49152:vjz9O+Sa8sUuEaPZRBhOuVmElg6oWmSEwxlUf44mv:vjhOTsmaPZRBUuVNOfklUf44mv
Malware Config
Extracted
redline
1310
79.137.192.57:48771
-
auth_value
feb5f5c29913f32658637e553762a40e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4976-1-0x0000000000190000-0x00000000001B8000-memory.dmp family_redline -
Redline family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3108 set thread context of 4976 3108 f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3108 wrote to memory of 4976 3108 f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe 84 PID 3108 wrote to memory of 4976 3108 f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe 84 PID 3108 wrote to memory of 4976 3108 f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe 84 PID 3108 wrote to memory of 4976 3108 f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe 84 PID 3108 wrote to memory of 4976 3108 f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe"C:\Users\Admin\AppData\Local\Temp\f1784d0827c2895d10bada66c76a90463916a3380be293da5886992a7d0c0679.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4976
-