redline | b4804fd9d41771474066b3f4c0fd95b5e7a18ad5194b19f26197bfefda65c8ca

Analysis

max time kernel
90s
max time network
96s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
28-07-2022 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrivateHack.exe
Size

1.1MB
MD5

d6a2df8caa573872bbe9c8e8c59d6028
SHA1

0b8eda3c0f420a608347f7b76df017e75c2a6e42
SHA256

b4804fd9d41771474066b3f4c0fd95b5e7a18ad5194b19f26197bfefda65c8ca
SHA512

7d728cf075ed54f17a16d393ce38a885e7386799b3cc9edc250f6a961ee64bc040e2886ec22bf3ea0e99fa6f88ddf0fbb021ed96fc20c4b90b1b667f7f3e71f4

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
2809e5944cfb3e2f786ac4a1217ad4a9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/164248-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/164248-61-0x000000000041B54E-mapping.dmp	family_redline
behavioral1/memory/164248-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/164248-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/164648-78-0x0000000000E00000-0x0000000001BD9000-memory.dmp	family_ytstealer
behavioral1/memory/164648-85-0x0000000000E00000-0x0000000001BD9000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

MainModule.exestart.execrypted.exe

pid process

164588 MainModule.exe
164648 start.exe
164760 crypted.exe

pid	process
164588	MainModule.exe
164648	start.exe
164760	crypted.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\start.exe	upx
\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral1/memory/164648-78-0x0000000000E00000-0x0000000001BD9000-memory.dmp	upx
behavioral1/memory/164648-85-0x0000000000E00000-0x0000000001BD9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx

Loads dropped DLL 5 IoCs

Processes:

AppLaunch.exe

pid process

164248 AppLaunch.exe
164248 AppLaunch.exe
164248 AppLaunch.exe
164248 AppLaunch.exe
164248 AppLaunch.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

PrivateHack.exe

description pid process target process

PID 1364 set thread context of 164248 1364 PrivateHack.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AppLaunch.exestart.exeMainModule.exe

pid process

164248 AppLaunch.exe
164648 start.exe
164648 start.exe
164588 MainModule.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exeMainModule.exe

description pid process

Token: SeDebugPrivilege 164248 AppLaunch.exe
Token: SeDebugPrivilege 164588 MainModule.exe

pid	process
164248	AppLaunch.exe
164248	AppLaunch.exe
164248	AppLaunch.exe
164248	AppLaunch.exe
164248	AppLaunch.exe

description	pid	process	target process
PID 1364 set thread context of 164248	1364	PrivateHack.exe	AppLaunch.exe

pid	process
164248	AppLaunch.exe
164648	start.exe
164648	start.exe
164588	MainModule.exe

description	pid	process
Token: SeDebugPrivilege	164248	AppLaunch.exe
Token: SeDebugPrivilege	164588	MainModule.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

PrivateHack.exeAppLaunch.exestart.execmd.exe

description	pid	process	target process
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 1364 wrote to memory of 164248	1364	PrivateHack.exe	AppLaunch.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164588	164248	AppLaunch.exe	MainModule.exe
PID 164248 wrote to memory of 164648	164248	AppLaunch.exe	start.exe
PID 164248 wrote to memory of 164648	164248	AppLaunch.exe	start.exe
PID 164248 wrote to memory of 164648	164248	AppLaunch.exe	start.exe
PID 164248 wrote to memory of 164648	164248	AppLaunch.exe	start.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164248 wrote to memory of 164760	164248	AppLaunch.exe	crypted.exe
PID 164648 wrote to memory of 164840	164648	start.exe	cmd.exe
PID 164648 wrote to memory of 164840	164648	start.exe	cmd.exe
PID 164648 wrote to memory of 164840	164648	start.exe	cmd.exe
PID 164840 wrote to memory of 164272	164840	cmd.exe	choice.exe
PID 164840 wrote to memory of 164272	164840	cmd.exe	choice.exe
PID 164840 wrote to memory of 164272	164840	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\PrivateHack.exe
"C:\Users\Admin\AppData\Local\Temp\PrivateHack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:164248
- - C:\Users\Admin\AppData\Local\Temp\MainModule.exe
    "C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:164588
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:164648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:164840
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:164272
- - C:\Users\Admin\AppData\Local\Temp\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
    3⤵
    - Executes dropped EXE
    PID:164760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
memory/164248-77-0x0000000007AC0000-0x0000000008899000-memory.dmp

Filesize
13.8MB

Download
memory/164248-64-0x0000000075C91000-0x0000000075C93000-memory.dmp

Filesize
8KB

Download
memory/164248-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164248-61-0x000000000041B54E-mapping.dmp

Download
memory/164248-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164248-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164248-76-0x0000000007AC0000-0x0000000008899000-memory.dmp

Filesize
13.8MB

Download
memory/164248-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/164272-86-0x0000000000000000-mapping.dmp

Download
memory/164588-71-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/164588-66-0x0000000000000000-mapping.dmp

Download
memory/164588-70-0x0000000001340000-0x0000000001358000-memory.dmp

Filesize
96KB

Download
memory/164648-78-0x0000000000E00000-0x0000000001BD9000-memory.dmp

Filesize
13.8MB

Download
memory/164648-74-0x0000000000000000-mapping.dmp

Download
memory/164648-85-0x0000000000E00000-0x0000000001BD9000-memory.dmp

Filesize
13.8MB

Download
memory/164760-81-0x0000000000000000-mapping.dmp

Download
memory/164760-88-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/164760-89-0x000000000A8F0000-0x000000000A8F8000-memory.dmp

Filesize
32KB

Download
memory/164760-90-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/164840-84-0x0000000000000000-mapping.dmp

Download