redline | 0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5

General

Target

Valorant Skin Changer.exe
Size

322KB
MD5

1b2ce585b75dd6ac4252f0c5d81bcc47
SHA1

9c3f77550af38239cd96c487c3c81dab612fe2be
SHA256

0b1f550d5ca453918a4677958e69fe850951123f3bc78650ba2c98fcf6683fb5
SHA512

b84997aa754233c5f838e8131b35d2cdc2133b3cd2e86e44f5a8e7a5bc1ee495137f1b58076006c3a2d141b5bbd3c0889d08a93a7d520a158463fbccf7c0301c

Score

10^/10

redline @joindsa infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@Joindsa

C2

164.132.202.45:20588

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4072-115-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/4072-120-0x000000000041C74E-mapping.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4336 created 5072 4336 WerFault.exe Valorant Skin Changer.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fl.exeservices32.exesihost32.exe

pid process

4492 fl.exe
2856 services32.exe
4952 sihost32.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Valorant Skin Changer.exe

description pid process target process

PID 5072 set thread context of 4072 5072 Valorant Skin Changer.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4336 5072 WerFault.exe Valorant Skin Changer.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4460 schtasks.exe

description	pid	process	target process
PID 4336 created 5072	4336	WerFault.exe	Valorant Skin Changer.exe

pid	process
4492	fl.exe
2856	services32.exe
4952	sihost32.exe

description	pid	process	target process
PID 5072 set thread context of 4072	5072	Valorant Skin Changer.exe	AppLaunch.exe

pid	pid_target	process	target process
4336	5072	WerFault.exe	Valorant Skin Changer.exe

pid	process
4460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

WerFault.exeAppLaunch.execonhost.execonhost.exe

pid	process
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4336	WerFault.exe
4072	AppLaunch.exe
1220	conhost.exe
1756	conhost.exe
1756	conhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeAppLaunch.execonhost.execonhost.exe

description	pid	process
Token: SeRestorePrivilege	4336	WerFault.exe
Token: SeBackupPrivilege	4336	WerFault.exe
Token: SeDebugPrivilege	4336	WerFault.exe
Token: SeDebugPrivilege	4072	AppLaunch.exe
Token: SeDebugPrivilege	1220	conhost.exe
Token: SeDebugPrivilege	1756	conhost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Valorant Skin Changer.exeAppLaunch.exefl.execonhost.execmd.execmd.exeservices32.execonhost.exesihost32.exe

description	pid	process	target process
PID 5072 wrote to memory of 4072	5072	Valorant Skin Changer.exe	AppLaunch.exe
PID 5072 wrote to memory of 4072	5072	Valorant Skin Changer.exe	AppLaunch.exe
PID 5072 wrote to memory of 4072	5072	Valorant Skin Changer.exe	AppLaunch.exe
PID 5072 wrote to memory of 4072	5072	Valorant Skin Changer.exe	AppLaunch.exe
PID 5072 wrote to memory of 4072	5072	Valorant Skin Changer.exe	AppLaunch.exe
PID 4072 wrote to memory of 4492	4072	AppLaunch.exe	fl.exe
PID 4072 wrote to memory of 4492	4072	AppLaunch.exe	fl.exe
PID 4492 wrote to memory of 1220	4492	fl.exe	conhost.exe
PID 4492 wrote to memory of 1220	4492	fl.exe	conhost.exe
PID 4492 wrote to memory of 1220	4492	fl.exe	conhost.exe
PID 1220 wrote to memory of 2016	1220	conhost.exe	cmd.exe
PID 1220 wrote to memory of 2016	1220	conhost.exe	cmd.exe
PID 2016 wrote to memory of 4460	2016	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 4460	2016	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 2320	1220	conhost.exe	cmd.exe
PID 1220 wrote to memory of 2320	1220	conhost.exe	cmd.exe
PID 2320 wrote to memory of 2856	2320	cmd.exe	services32.exe
PID 2320 wrote to memory of 2856	2320	cmd.exe	services32.exe
PID 2856 wrote to memory of 1756	2856	services32.exe	conhost.exe
PID 2856 wrote to memory of 1756	2856	services32.exe	conhost.exe
PID 2856 wrote to memory of 1756	2856	services32.exe	conhost.exe
PID 1756 wrote to memory of 4952	1756	conhost.exe	sihost32.exe
PID 1756 wrote to memory of 4952	1756	conhost.exe	sihost32.exe
PID 4952 wrote to memory of 4188	4952	sihost32.exe	conhost.exe
PID 4952 wrote to memory of 4188	4952	sihost32.exe	conhost.exe
PID 4952 wrote to memory of 4188	4952	sihost32.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer.exe
"C:\Users\Admin\AppData\Local\Temp\Valorant Skin Changer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Local\Temp\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Users\Admin\AppData\Local\Temp\services32.exe"
6⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\services32.exe
C:\Users\Admin\AppData\Local\Temp\services32.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services32.exe"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\System32\conhost.exe
"C:\Windows\System32\\conhost.exe" "/sihost32"
9⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 244
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
MD5
84f2160705ac9a032c002f966498ef74

SHA1
e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

SHA256
7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

SHA512
f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
481cc004b81afcb1ec10bb9985cc402b

SHA1
86fcf5d85033fcd857c865df4fa1da51b6d53bf5

SHA256
589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a

SHA512
d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
481cc004b81afcb1ec10bb9985cc402b

SHA1
86fcf5d85033fcd857c865df4fa1da51b6d53bf5

SHA256
589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a

SHA512
d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\services32.exe
MD5
481cc004b81afcb1ec10bb9985cc402b

SHA1
86fcf5d85033fcd857c865df4fa1da51b6d53bf5

SHA256
589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a

SHA512
d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\services32.exe
MD5
481cc004b81afcb1ec10bb9985cc402b

SHA1
86fcf5d85033fcd857c865df4fa1da51b6d53bf5

SHA256
589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a

SHA512
d31d699551c0d24f86b690f27f9ee07c1778bedb008c40fd7422accfece2ceae089fa2b4508607afd2af8da5fe9f45d0be43911859cc90885b6b6876c45d5fc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
46b4b994c1ec2e58cb03932f462b9cd0

SHA1
bff08dd95b4d7d35fd2642611b2ec2c63904a289

SHA256
32f1a2ac794252d3abab03963d67e14209c47b951d9ddcd81fd1b5f820087ed9

SHA512
264fae64ecb324229f5c1864775f4454dd233eaa5a4d9244278bda6e2e231d49e6a673eaec9c4b847dfb6e1fe9f98c6168d3f44d06a9ba2f7fbfc691fc1e4363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
46b4b994c1ec2e58cb03932f462b9cd0

SHA1
bff08dd95b4d7d35fd2642611b2ec2c63904a289

SHA256
32f1a2ac794252d3abab03963d67e14209c47b951d9ddcd81fd1b5f820087ed9

SHA512
264fae64ecb324229f5c1864775f4454dd233eaa5a4d9244278bda6e2e231d49e6a673eaec9c4b847dfb6e1fe9f98c6168d3f44d06a9ba2f7fbfc691fc1e4363

Download Submit
memory/1220-427-0x000002BE59A56000-0x000002BE59A57000-memory.dmp

Filesize
4KB

Download
memory/1220-425-0x000002BE59A50000-0x000002BE59A52000-memory.dmp

Filesize
8KB

Download
memory/1220-426-0x000002BE59A53000-0x000002BE59A55000-memory.dmp

Filesize
8KB

Download
memory/1220-424-0x000002BE3F1D0000-0x000002BE3F3C0000-memory.dmp

Filesize
1.9MB

Download
memory/1756-458-0x000001ECC4C76000-0x000001ECC4C77000-memory.dmp

Filesize
4KB

Download
memory/1756-456-0x000001ECC4C70000-0x000001ECC4C72000-memory.dmp

Filesize
8KB

Download
memory/1756-457-0x000001ECC4C73000-0x000001ECC4C75000-memory.dmp

Filesize
8KB

Download
memory/2016-431-0x0000000000000000-mapping.dmp

Download
memory/2320-433-0x0000000000000000-mapping.dmp

Download
memory/2856-435-0x0000000000000000-mapping.dmp

Download
memory/4072-131-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/4072-138-0x000000000A960000-0x000000000A961000-memory.dmp

Filesize
4KB

Download
memory/4072-144-0x000000000A210000-0x000000000A211000-memory.dmp

Filesize
4KB

Download
memory/4072-157-0x000000000C540000-0x000000000C541000-memory.dmp

Filesize
4KB

Download
memory/4072-126-0x0000000009210000-0x0000000009211000-memory.dmp

Filesize
4KB

Download
memory/4072-123-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4072-122-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4072-127-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/4072-124-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4072-129-0x0000000008C00000-0x0000000009206000-memory.dmp

Filesize
6.0MB

Download
memory/4072-142-0x000000000A240000-0x000000000A241000-memory.dmp

Filesize
4KB

Download
memory/4072-141-0x0000000009F00000-0x0000000009F01000-memory.dmp

Filesize
4KB

Download
memory/4072-128-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/4072-143-0x000000000A360000-0x000000000A361000-memory.dmp

Filesize
4KB

Download
memory/4072-137-0x000000000A430000-0x000000000A431000-memory.dmp

Filesize
4KB

Download
memory/4072-121-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4072-115-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4072-120-0x000000000041C74E-mapping.dmp

Download
memory/4072-130-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/4072-136-0x0000000009D30000-0x0000000009D31000-memory.dmp

Filesize
4KB

Download
memory/4072-132-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4188-468-0x00000299F76E0000-0x00000299F76E2000-memory.dmp

Filesize
8KB

Download
memory/4188-467-0x00000299F5AA0000-0x00000299F5AA6000-memory.dmp

Filesize
24KB

Download
memory/4188-469-0x00000299F76E3000-0x00000299F76E5000-memory.dmp

Filesize
8KB

Download
memory/4188-470-0x00000299F76E6000-0x00000299F76E7000-memory.dmp

Filesize
4KB

Download
memory/4460-432-0x0000000000000000-mapping.dmp

Download
memory/4492-412-0x0000000000000000-mapping.dmp

Download
memory/4952-452-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads