redline | 538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

General

Target

SecuriteInfo.com.Variant.Ursu.588815.10992.exe
Size

525KB
MD5

15f43d61bee241657b1ad10d6aa11e57
SHA1

83e96ecb233bd270b4f002c55aa28e92306650ef
SHA256

538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8
SHA512

0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Score

10^/10

redline wizzy infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

wizzy

C2

107.182.128.57:48273

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1224-59-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1224-60-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1224-61-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1224-62-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/1224-64-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1224-68-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1472-83-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/1472-90-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1472-88-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1932-102-0x000000000041933E-mapping.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

chromer.exechromer.exe

pid process

988 chromer.exe
2032 chromer.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
988	chromer.exe
2032	chromer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.588815.10992.exechromer.exechromer.exe

description	pid	process	target process
PID 1152 set thread context of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 988 set thread context of 1472	988	chromer.exe	vbc.exe
PID 2032 set thread context of 1932	2032	chromer.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

584 schtasks.exe
1612 schtasks.exe
1964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exevbc.exe

pid process

1224 vbc.exe
1224 vbc.exe
1472 vbc.exe
1472 vbc.exe

pid	process
584	schtasks.exe
1612	schtasks.exe
1964	schtasks.exe

pid	process
1224	vbc.exe
1224	vbc.exe
1472	vbc.exe
1472	vbc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.588815.10992.exevbc.exechromer.exevbc.exechromer.exe

description	pid	process
Token: SeDebugPrivilege	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe
Token: SeDebugPrivilege	1224	vbc.exe
Token: SeDebugPrivilege	988	chromer.exe
Token: SeDebugPrivilege	1472	vbc.exe
Token: SeDebugPrivilege	2032	chromer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.588815.10992.execmd.exetaskeng.exechromer.execmd.exechromer.exe

description	pid	process	target process
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 1224	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1152 wrote to memory of 952	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 952	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 952	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 952	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1992	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1992	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1992	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1992	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1784	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1784	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1784	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1152 wrote to memory of 1784	1152	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1992 wrote to memory of 584	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 584	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 584	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 584	1992	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 988	1540	taskeng.exe	chromer.exe
PID 1540 wrote to memory of 988	1540	taskeng.exe	chromer.exe
PID 1540 wrote to memory of 988	1540	taskeng.exe	chromer.exe
PID 1540 wrote to memory of 988	1540	taskeng.exe	chromer.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1472	988	chromer.exe	vbc.exe
PID 988 wrote to memory of 1504	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 1504	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 1504	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 1504	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 552	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 552	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 552	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 552	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 996	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 996	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 996	988	chromer.exe	cmd.exe
PID 988 wrote to memory of 996	988	chromer.exe	cmd.exe
PID 552 wrote to memory of 1612	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1612	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1612	552	cmd.exe	schtasks.exe
PID 552 wrote to memory of 1612	552	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 2032	1540	taskeng.exe	chromer.exe
PID 1540 wrote to memory of 2032	1540	taskeng.exe	chromer.exe
PID 1540 wrote to memory of 2032	1540	taskeng.exe	chromer.exe
PID 1540 wrote to memory of 2032	1540	taskeng.exe	chromer.exe
PID 2032 wrote to memory of 1932	2032	chromer.exe	vbc.exe
PID 2032 wrote to memory of 1932	2032	chromer.exe	vbc.exe
PID 2032 wrote to memory of 1932	2032	chromer.exe	vbc.exe
PID 2032 wrote to memory of 1932	2032	chromer.exe	vbc.exe
PID 2032 wrote to memory of 1932	2032	chromer.exe	vbc.exe
PID 2032 wrote to memory of 1932	2032	chromer.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
2⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
- Creates scheduled task(s)
PID:584

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
2⤵
PID:1784

C:\Windows\system32\taskeng.exe
taskeng.exe {E0263847-690D-4DFC-8207-571A4F414999} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
3⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
3⤵
PID:996

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
3⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
PID:1868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
3⤵
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
memory/552-85-0x0000000000000000-mapping.dmp

Download
memory/568-103-0x0000000000000000-mapping.dmp

Download
memory/584-70-0x0000000000000000-mapping.dmp

Download
memory/952-65-0x0000000000000000-mapping.dmp

Download
memory/988-75-0x0000000000E20000-0x0000000000EAA000-memory.dmp

Filesize
552KB

Download
memory/988-73-0x0000000000000000-mapping.dmp

Download
memory/996-86-0x0000000000000000-mapping.dmp

Download
memory/1152-55-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1152-54-0x00000000009B0000-0x0000000000A3A000-memory.dmp

Filesize
552KB

Download
memory/1224-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1224-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1224-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1224-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1224-62-0x000000000041933E-mapping.dmp

Download
memory/1224-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1224-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1224-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1292-106-0x0000000000000000-mapping.dmp

Download
memory/1472-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1472-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1472-83-0x000000000041933E-mapping.dmp

Download
memory/1504-84-0x0000000000000000-mapping.dmp

Download
memory/1612-91-0x0000000000000000-mapping.dmp

Download
memory/1784-69-0x0000000000000000-mapping.dmp

Download
memory/1868-105-0x0000000000000000-mapping.dmp

Download
memory/1932-102-0x000000000041933E-mapping.dmp

Download
memory/1964-107-0x0000000000000000-mapping.dmp

Download
memory/1992-67-0x0000000000000000-mapping.dmp

Download
memory/2032-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads