redline | 10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe
Size

687.2MB
MD5

b7e91d713172dd2ed07e684d42a69e2a
SHA1

49ffcaf6866abcf477f1736cae9d1ec57f678fad
SHA256

10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049
SHA512

ae7c1422ac13eb959f3b209061a8e67d3c1bdf530fa838c0bee889dcc53ec3e3966d59d2fabd22bcc333fadc61c4b5902ea7b232f661f08ea9182c3d9b6e39d8
SSDEEP

12288:OJxEjE1RrkHDS8BULn0gufJRU4WdN4tNCoF0g:6uS8GAJUn4tzF0

Score

10^/10

redline logsdiller cloud (bot: @logsdillabot)discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

213.32.44.120:6254

Attributes

auth_value
ed000008c0b59caf793b48c8ea9a7233

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4628-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Redline family
redline
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 4628	2924	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4944	2924	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4628	2924	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe	83
PID 2924 wrote to memory of 4628	2924	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe	83
PID 2924 wrote to memory of 4628	2924	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe	83
PID 2924 wrote to memory of 4628	2924	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe	83
PID 2924 wrote to memory of 4628	2924	JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10996ff279c9a31dbdea82d6a3c9dbd3e51cbd7897437c98827de00a66196049.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 140
  2⤵
  - Program crash
  PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2924 -ip 2924
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-0-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/4628-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4628-6-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/4628-7-0x0000000005A70000-0x0000000006088000-memory.dmp

Filesize
6.1MB

Download
memory/4628-8-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/4628-9-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/4628-10-0x0000000005590000-0x00000000055CC000-memory.dmp

Filesize
240KB

Download
memory/4628-11-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/4628-12-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/4628-13-0x00000000750CE000-0x00000000750CF000-memory.dmp

Filesize
4KB

Download
memory/4628-14-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download