redline | ee23aac95e9bf15da275f635fe526a244290b84b92217fc99706dca802693f72

General

Target

QUOTE .js
Size

17KB
MD5

d6b787f507ee09398e2011a56d184699
SHA1

d34ad5be20b28078dff0e74a6deadb8198b79503
SHA256

ee23aac95e9bf15da275f635fe526a244290b84b92217fc99706dca802693f72
SHA512

fc74b69ee7f1de5b7bb386885e37836d7ea783f47ad1cb1515f2a5c56aa4320c48882cd7fffe522aee22e454a8ec7646d655738d9d2b94c2cc47487a8c617c35

Score

10^/10

redline vjw0rm bigcash discovery infostealer persistence spyware stealer suricata trojan worm

Malware Config

Extracted

Family

redline

Botnet

bigcash

C2

45.137.22.137:37747

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\em.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\em.exe	family_redline
behavioral2/memory/4376-135-0x0000000000600000-0x000000000061E000-memory.dmp	family_redline

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exewscript.exe

flow pid process

6 2156 wscript.exe
8 920 wscript.exe
30 920 wscript.exe
38 920 wscript.exe
42 920 wscript.exe
43 920 wscript.exe
44 920 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

em.exe

pid process

4376 em.exe

flow	pid	process
6	2156	wscript.exe
8	920	wscript.exe
30	920	wscript.exe
38	920	wscript.exe
42	920	wscript.exe
43	920	wscript.exe
44	920	wscript.exe

pid	process
4376	em.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weVXcANTow.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weVXcANTow.js	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\weVXcANTow.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

em.exe

pid process

4376 em.exe
4376 em.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

em.exe

description pid process

Token: SeDebugPrivilege 4376 em.exe

pid	process
4376	em.exe
4376	em.exe

description	pid	process
Token: SeDebugPrivilege	4376	em.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 2156 wrote to memory of 920	2156	wscript.exe	wscript.exe
PID 2156 wrote to memory of 920	2156	wscript.exe	wscript.exe
PID 2156 wrote to memory of 4376	2156	wscript.exe	em.exe
PID 2156 wrote to memory of 4376	2156	wscript.exe	em.exe
PID 2156 wrote to memory of 4376	2156	wscript.exe	em.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\QUOTE .js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\weVXcANTow.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:920

C:\Users\Admin\AppData\Local\Temp\em.exe
"C:\Users\Admin\AppData\Local\Temp\em.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\em.exe
Filesize
95KB

MD5
8a428a10e4b3a287b2da89c990faec37

SHA1
e431372ada47439b2389ccb6cb9a22813aafd3a0

SHA256
1994587aad261a1b99d6b9f4c317a5def389344142609065cf1a7ddf668686f4

SHA512
24b89a2df88f97f83586852b053ad9c8c1e879ff4d2605b74f2ddcd978f706fc501c0967fcf0841f45890bf1fbec46cab56a41fbe3d5541ed662295965b0a98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\em.exe
Filesize
95KB

MD5
8a428a10e4b3a287b2da89c990faec37

SHA1
e431372ada47439b2389ccb6cb9a22813aafd3a0

SHA256
1994587aad261a1b99d6b9f4c317a5def389344142609065cf1a7ddf668686f4

SHA512
24b89a2df88f97f83586852b053ad9c8c1e879ff4d2605b74f2ddcd978f706fc501c0967fcf0841f45890bf1fbec46cab56a41fbe3d5541ed662295965b0a98d

Download Submit
C:\Users\Admin\AppData\Roaming\weVXcANTow.js
Filesize
7KB

MD5
f89eb26fbbf0c45cd8435cbed357bd70

SHA1
b3169b13684f25e8a2a54121e28abbfd78d6a811

SHA256
3ea50a531f40f6b3953930b14aefb043da2de693cce57194a9a6e6787c7b26d3

SHA512
378b2f3d7783507447993ab0616d351c5a7e2c4ffdb4cde7889fdcac25f8bf74fb14cd0782c9a92a81d177c8e9460ad600e633669ce2085bf950ccf33f577784

Download Submit
memory/920-130-0x0000000000000000-mapping.dmp

Download
memory/4376-138-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/4376-135-0x0000000000600000-0x000000000061E000-memory.dmp

Filesize
120KB

Download
memory/4376-136-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/4376-137-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/4376-132-0x0000000000000000-mapping.dmp

Download
memory/4376-139-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/4376-140-0x0000000006570000-0x0000000006732000-memory.dmp

Filesize
1.8MB

Download
memory/4376-141-0x0000000006C70000-0x000000000719C000-memory.dmp

Filesize
5.2MB

Download
memory/4376-142-0x0000000006500000-0x0000000006566000-memory.dmp

Filesize
408KB

Download
memory/4376-143-0x0000000007750000-0x0000000007CF4000-memory.dmp

Filesize
5.6MB

Download
memory/4376-144-0x0000000006A70000-0x0000000006AE6000-memory.dmp

Filesize
472KB

Download
memory/4376-145-0x0000000006B90000-0x0000000006C22000-memory.dmp

Filesize
584KB

Download
memory/4376-146-0x00000000073A0000-0x00000000073BE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads