redline | 2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec

Analysis

max time kernel
146s
max time network
153s
platform
windows10_x64
resource
win10-20220414-en
submitted
13-06-2022 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe
Size

745KB
MD5

f34c6e0ea0a2c9247d5a0e36d635852d
SHA1

369f9bc22c48f1d988456ab69d777314c83f2e6e
SHA256

2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec
SHA512

adf2ec317fb8977b67cbd53b699c04b1a47264ddd2be5eddf7950b84326c7d94b6c6824b407fa8d212064c32873393c3ff1ebf9fb6aa11efef94fcbdffb9076d

Score

10^/10

redline 76 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

139.99.32.83:43199

Attributes

auth_value
44d461325298129ed3c705440f57962c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1420-131-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1420-136-0x000000000041AD5A-mapping.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe

description	pid	process	target process
PID 1940 set thread context of 1420	1940	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1020 1940 WerFault.exe 2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AppLaunch.exe

pid process

1420 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1420 AppLaunch.exe

pid	pid_target	process	target process
1020	1940	WerFault.exe	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe

pid	process
1420	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1420	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe

description	pid	process	target process
PID 1940 wrote to memory of 1420	1940	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe	AppLaunch.exe
PID 1940 wrote to memory of 1420	1940	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe	AppLaunch.exe
PID 1940 wrote to memory of 1420	1940	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe	AppLaunch.exe
PID 1940 wrote to memory of 1420	1940	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe	AppLaunch.exe
PID 1940 wrote to memory of 1420	1940	2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe
"C:\Users\Admin\AppData\Local\Temp\2767063cd254ba4d4387b141d8c749d60f47b955ee0c67be61d56fd4da393fec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 300
2⤵
- Program crash
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-162-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-182-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-137-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-138-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-139-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-163-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-489-0x000000000B0F0000-0x000000000B61C000-memory.dmp

Filesize
5.2MB

Download
memory/1420-488-0x000000000A9F0000-0x000000000ABB2000-memory.dmp

Filesize
1.8MB

Download
memory/1420-475-0x0000000009F40000-0x0000000009F90000-memory.dmp

Filesize
320KB

Download
memory/1420-224-0x0000000009DC0000-0x0000000009DDE000-memory.dmp

Filesize
120KB

Download
memory/1420-220-0x0000000009E00000-0x0000000009E92000-memory.dmp

Filesize
584KB

Download
memory/1420-219-0x0000000009CE0000-0x0000000009D56000-memory.dmp

Filesize
472KB

Download
memory/1420-216-0x000000000A120000-0x000000000A61E000-memory.dmp

Filesize
5.0MB

Download
memory/1420-208-0x0000000009110000-0x0000000009176000-memory.dmp

Filesize
408KB

Download
memory/1420-199-0x0000000008E20000-0x0000000008E6B000-memory.dmp

Filesize
300KB

Download
memory/1420-131-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1420-140-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-143-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-141-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-144-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-146-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-147-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-148-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-149-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-150-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-151-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-152-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-153-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-154-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-155-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-156-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-157-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-158-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-159-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-160-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-161-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-197-0x0000000008DE0000-0x0000000008E1E000-memory.dmp

Filesize
248KB

Download
memory/1420-194-0x0000000008EB0000-0x0000000008FBA000-memory.dmp

Filesize
1.0MB

Download
memory/1420-175-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-165-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-166-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-167-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-168-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-170-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-171-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-172-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-173-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-174-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-176-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-164-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-177-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-179-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-178-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-180-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-181-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-136-0x000000000041AD5A-mapping.dmp

Download
memory/1420-183-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-184-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-192-0x0000000009310000-0x0000000009916000-memory.dmp

Filesize
6.0MB

Download
memory/1420-193-0x0000000008D80000-0x0000000008D92000-memory.dmp

Filesize
72KB

Download
memory/1940-122-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-119-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-125-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-120-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-123-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-127-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-126-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-124-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-121-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-118-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-117-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-116-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-128-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-129-0x0000000077230000-0x00000000773BE000-memory.dmp

Filesize
1.6MB

Download
memory/1940-130-0x000000000151A000-0x000000000151C000-memory.dmp

Filesize
8KB

Download