redline | 538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

General

Target

SecuriteInfo.com.Variant.Ursu.588815.10992.exe
Size

525KB
MD5

15f43d61bee241657b1ad10d6aa11e57
SHA1

83e96ecb233bd270b4f002c55aa28e92306650ef
SHA256

538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8
SHA512

0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Score

10^/10

redline wizzy infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

wizzy

C2

107.182.128.57:48273

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/280-59-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/280-60-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/280-61-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/280-62-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/280-64-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/280-66-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1644-82-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/468-102-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/468-105-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/468-107-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/380-122-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/380-126-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/380-130-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline
behavioral1/memory/380-133-0x0000000000080000-0x000000000009E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

chromer.exechromer.exechromer.exe

pid process

1948 chromer.exe
1640 chromer.exe
1760 chromer.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1948	chromer.exe
1640	chromer.exe
1760	chromer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.588815.10992.exechromer.exechromer.exechromer.exe

description	pid	process	target process
PID 1640 set thread context of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1948 set thread context of 1644	1948	chromer.exe	vbc.exe
PID 1640 set thread context of 468	1640	chromer.exe	vbc.exe
PID 1760 set thread context of 380	1760	chromer.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1624 schtasks.exe
580 schtasks.exe
1044 schtasks.exe
268 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

280 vbc.exe
280 vbc.exe
1644 vbc.exe
1644 vbc.exe
468 vbc.exe
468 vbc.exe

pid	process
1624	schtasks.exe
580	schtasks.exe
1044	schtasks.exe
268	schtasks.exe

pid	process
280	vbc.exe
280	vbc.exe
1644	vbc.exe
1644	vbc.exe
468	vbc.exe
468	vbc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.588815.10992.exevbc.exechromer.exevbc.exechromer.exevbc.exechromer.exe

description	pid	process
Token: SeDebugPrivilege	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe
Token: SeDebugPrivilege	280	vbc.exe
Token: SeDebugPrivilege	1948	chromer.exe
Token: SeDebugPrivilege	1644	vbc.exe
Token: SeDebugPrivilege	1640	chromer.exe
Token: SeDebugPrivilege	468	vbc.exe
Token: SeDebugPrivilege	1760	chromer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Variant.Ursu.588815.10992.execmd.exetaskeng.exechromer.execmd.exechromer.exe

description	pid	process	target process
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 280	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	vbc.exe
PID 1640 wrote to memory of 1880	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1880	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1880	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1880	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1720	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1720	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1720	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1720	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1172	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1172	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1172	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1640 wrote to memory of 1172	1640	SecuriteInfo.com.Variant.Ursu.588815.10992.exe	cmd.exe
PID 1720 wrote to memory of 1624	1720	cmd.exe	schtasks.exe
PID 1720 wrote to memory of 1624	1720	cmd.exe	schtasks.exe
PID 1720 wrote to memory of 1624	1720	cmd.exe	schtasks.exe
PID 1720 wrote to memory of 1624	1720	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1948	1740	taskeng.exe	chromer.exe
PID 1740 wrote to memory of 1948	1740	taskeng.exe	chromer.exe
PID 1740 wrote to memory of 1948	1740	taskeng.exe	chromer.exe
PID 1740 wrote to memory of 1948	1740	taskeng.exe	chromer.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1644	1948	chromer.exe	vbc.exe
PID 1948 wrote to memory of 1876	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1876	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1876	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1876	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1048	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1048	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1048	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 1048	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 564	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 564	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 564	1948	chromer.exe	cmd.exe
PID 1948 wrote to memory of 564	1948	chromer.exe	cmd.exe
PID 1048 wrote to memory of 580	1048	cmd.exe	schtasks.exe
PID 1048 wrote to memory of 580	1048	cmd.exe	schtasks.exe
PID 1048 wrote to memory of 580	1048	cmd.exe	schtasks.exe
PID 1048 wrote to memory of 580	1048	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1640	1740	taskeng.exe	chromer.exe
PID 1740 wrote to memory of 1640	1740	taskeng.exe	chromer.exe
PID 1740 wrote to memory of 1640	1740	taskeng.exe	chromer.exe
PID 1740 wrote to memory of 1640	1740	taskeng.exe	chromer.exe
PID 1640 wrote to memory of 468	1640	chromer.exe	vbc.exe
PID 1640 wrote to memory of 468	1640	chromer.exe	vbc.exe
PID 1640 wrote to memory of 468	1640	chromer.exe	vbc.exe
PID 1640 wrote to memory of 468	1640	chromer.exe	vbc.exe
PID 1640 wrote to memory of 468	1640	chromer.exe	vbc.exe
PID 1640 wrote to memory of 468	1640	chromer.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
2⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.588815.10992.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
2⤵
PID:1172

C:\Windows\system32\taskeng.exe
taskeng.exe {09FFDBC1-6920-45F9-916F-9F9236F3FE42} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
3⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
4⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
3⤵
PID:564

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
PID:576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
3⤵
PID:1000

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\chromer"
3⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
3⤵
PID:836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\chromer\chromer.exe'" /f
4⤵
- Creates scheduled task(s)
PID:268

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe" "C:\Users\Admin\AppData\Roaming\chromer\chromer.exe"
3⤵
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
C:\Users\Admin\AppData\Roaming\chromer\chromer.exe
Filesize
525KB

MD5
15f43d61bee241657b1ad10d6aa11e57

SHA1
83e96ecb233bd270b4f002c55aa28e92306650ef

SHA256
538e65ae9a73e15bd98c8fd0b5ecce5aaecdeb5e36a12a416a56a78c3cfbb3c8

SHA512
0e8a516e1439ec1a871d2afba0140a38f2ac8f4f13ad2283d334edf01537aa147023abf81957118b347c7634a05651fb26177e634ba8882d79c35754cfac9e5a

Download Submit
memory/268-136-0x0000000000000000-mapping.dmp

Download
memory/280-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/280-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/280-62-0x000000000041933E-mapping.dmp

Download
memory/280-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/280-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/280-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/280-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/280-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/380-126-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/380-122-0x000000000041933E-mapping.dmp

Download
memory/380-130-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/380-133-0x0000000000080000-0x000000000009E000-memory.dmp

Filesize
120KB

Download
memory/468-102-0x000000000041933E-mapping.dmp

Download
memory/468-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/468-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/564-85-0x0000000000000000-mapping.dmp

Download
memory/576-108-0x0000000000000000-mapping.dmp

Download
memory/580-90-0x0000000000000000-mapping.dmp

Download
memory/836-124-0x0000000000000000-mapping.dmp

Download
memory/1000-109-0x0000000000000000-mapping.dmp

Download
memory/1044-111-0x0000000000000000-mapping.dmp

Download
memory/1048-84-0x0000000000000000-mapping.dmp

Download
memory/1172-69-0x0000000000000000-mapping.dmp

Download
memory/1532-123-0x0000000000000000-mapping.dmp

Download
memory/1624-70-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1640-92-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x0000000000EC0000-0x0000000000F4A000-memory.dmp

Filesize
552KB

Download
memory/1640-94-0x00000000012B0000-0x000000000133A000-memory.dmp

Filesize
552KB

Download
memory/1644-82-0x000000000041933E-mapping.dmp

Download
memory/1684-103-0x0000000000000000-mapping.dmp

Download
memory/1720-68-0x0000000000000000-mapping.dmp

Download
memory/1760-114-0x00000000012B0000-0x000000000133A000-memory.dmp

Filesize
552KB

Download
memory/1760-112-0x0000000000000000-mapping.dmp

Download
memory/1868-134-0x0000000000000000-mapping.dmp

Download
memory/1876-83-0x0000000000000000-mapping.dmp

Download
memory/1880-67-0x0000000000000000-mapping.dmp

Download
memory/1948-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads