redline | a5f5bbe8fe2353733e90cd91c04a5c3ac111881daa1f5a9372728821f320845c

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe
Size

2.5MB
MD5

d5646c90a8af09a6e669a8e471005bbd
SHA1

526b70c4b3762c8983e8bb19b57ada1f75c52b19
SHA256

86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7
SHA512

4d948f4923877f29fe64991c90ea3a6c08473bc61cb6573151039e12a52f7a70d4e721c3888985df6d90cdeeb093cc36074d68597448d00e37f9f011af07645e

Score

10^/10

redline @ternetyfpl infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@ternetyFPL

62.204.41.144:14096

Attributes

auth_value
449f565b5fc3449e1b02eaa2fe5a56dd

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/199284-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/199284-61-0x000000000041ADD6-mapping.dmp	family_redline
behavioral1/memory/199284-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/199284-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe

description	pid	process	target process
PID 856 set thread context of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AppLaunch.exe

pid process

199284 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 199284 AppLaunch.exe

pid	process
199284	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	199284	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe

description	pid	process	target process
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe
PID 856 wrote to memory of 199284	856	86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe
"C:\Users\Admin\AppData\Local\Temp\86100403717b976b362ecf17cefe7f3055b4fca07ca66413c0b9eacd9e3f03b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:199284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/199284-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/199284-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/199284-61-0x000000000041ADD6-mapping.dmp

Download
memory/199284-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/199284-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/199284-64-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download