redline | fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9

Analysis

max time kernel
282s
max time network
298s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
30/07/2022, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe
Size

2.9MB
MD5

aaa3dbcc297ef4ff7329d42440509fdc
SHA1

30a8c945583ad1e7b1f8ce0b79ca42e11ea13cd2
SHA256

fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9
SHA512

2bb68efba4372294633a59d6720b87983d12bf1092dd21feb6eb8667b223cf114fa31346ec131746b92d9591202cf4934b5a0e3f8230119678d7309a0936c208

Score

10^/10

redline @moriwws infostealer spyware

Malware Config

Extracted

Family

redline

193.106.191.160:8673

194.93.2.28:21390

185.186.142.127:6737

Attributes

auth_value
a92e5e3459b5f1ea8a76ec4f05c50c1e

Extracted

Family

redline

Botnet

@moriwWs

neredenkyor.xyz:81

Attributes

auth_value
c2f987b4e6cd55ad1315311e92563eca

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 12 IoCs

resource	yara_rule
behavioral1/memory/743764-82-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/610776-91-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/743764-100-0x000000000041B50E-mapping.dmp	family_redline
behavioral1/memory/610776-103-0x000000000041BC3E-mapping.dmp	family_redline
behavioral1/memory/743764-106-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/610776-108-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/610776-109-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/743764-107-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/717024-112-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/717024-118-0x00000000000AADD6-mapping.dmp	family_redline
behavioral1/memory/717024-121-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/717024-122-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2016	54741.exe
972	v.exe
14812	r.exe
37820	g.exe
95864	x.exe

Loads dropped DLL 9 IoCs

pid	Process
1744	powershell.exe
2016	54741.exe
2016	54741.exe
2016	54741.exe
2016	54741.exe
2016	54741.exe
2016	54741.exe
2016	54741.exe
2016	54741.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 95864 set thread context of 723892	95864	x.exe	40
PID 37820 set thread context of 743764	37820	g.exe	41
PID 972 set thread context of 610776	972	v.exe	38
PID 14812 set thread context of 717024	14812	r.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1744	powershell.exe
1744	powershell.exe
743764	AppLaunch.exe
610776	AppLaunch.exe
717024	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	717024	AppLaunch.exe
Token: SeDebugPrivilege	743764	AppLaunch.exe
Token: SeDebugPrivilege	610776	AppLaunch.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1744	1392	fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe	27
PID 1392 wrote to memory of 1744	1392	fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe	27
PID 1392 wrote to memory of 1744	1392	fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe	27
PID 1392 wrote to memory of 1744	1392	fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe	27
PID 1744 wrote to memory of 2016	1744	powershell.exe	29
PID 1744 wrote to memory of 2016	1744	powershell.exe	29
PID 1744 wrote to memory of 2016	1744	powershell.exe	29
PID 1744 wrote to memory of 2016	1744	powershell.exe	29
PID 2016 wrote to memory of 972	2016	54741.exe	30
PID 2016 wrote to memory of 972	2016	54741.exe	30
PID 2016 wrote to memory of 972	2016	54741.exe	30
PID 2016 wrote to memory of 972	2016	54741.exe	30
PID 2016 wrote to memory of 14812	2016	54741.exe	32
PID 2016 wrote to memory of 14812	2016	54741.exe	32
PID 2016 wrote to memory of 14812	2016	54741.exe	32
PID 2016 wrote to memory of 14812	2016	54741.exe	32
PID 2016 wrote to memory of 37820	2016	54741.exe	34
PID 2016 wrote to memory of 37820	2016	54741.exe	34
PID 2016 wrote to memory of 37820	2016	54741.exe	34
PID 2016 wrote to memory of 37820	2016	54741.exe	34
PID 2016 wrote to memory of 95864	2016	54741.exe	36
PID 2016 wrote to memory of 95864	2016	54741.exe	36
PID 2016 wrote to memory of 95864	2016	54741.exe	36
PID 2016 wrote to memory of 95864	2016	54741.exe	36
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 972 wrote to memory of 610776	972	v.exe	38
PID 972 wrote to memory of 610776	972	v.exe	38
PID 972 wrote to memory of 610776	972	v.exe	38
PID 972 wrote to memory of 610776	972	v.exe	38
PID 972 wrote to memory of 610776	972	v.exe	38
PID 972 wrote to memory of 610776	972	v.exe	38
PID 972 wrote to memory of 610776	972	v.exe	38
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 972 wrote to memory of 610776	972	v.exe	38
PID 95864 wrote to memory of 723892	95864	x.exe	40
PID 37820 wrote to memory of 743764	37820	g.exe	41
PID 972 wrote to memory of 610776	972	v.exe	38
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39
PID 14812 wrote to memory of 717024	14812	r.exe	39

C:\Users\Admin\AppData\Local\Temp\fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe
"C:\Users\Admin\AppData\Local\Temp\fbcd45b47c28ba4275e76079c58ce6d36386d0600d102ca29628973116a340d9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process -FilePath C:\Users\Admin\AppData\Local\Temp\54741.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\54741.exe
    "C:\Users\Admin\AppData\Local\Temp\54741.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\v.exe
      "C:\Users\Admin\AppData\Local\Temp\v.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:610776
  - - C:\Users\Admin\AppData\Local\Temp\r.exe
      "C:\Users\Admin\AppData\Local\Temp\r.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:14812
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:717024
  - - C:\Users\Admin\AppData\Local\Temp\g.exe
      "C:\Users\Admin\AppData\Local\Temp\g.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:37820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:743764
  - - C:\Users\Admin\AppData\Local\Temp\x.exe
      "C:\Users\Admin\AppData\Local\Temp\x.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:95864
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:723892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54741.exe

Filesize
1.7MB

MD5
fc50da6d7611c0388542345af32164ea

SHA1
38a940871565a966749508eb2dd746ce2b5adb09

SHA256
32eda0605fb448ee351e12fcb06cc14a45a8d3a1d5c0cbd68c16bdd993873b24

SHA512
dbef20f58feeba7e4503fd0594908b723df7790342414cf076c77a4d84281a8af4a88e65feafd76d7a4836f3092d76708a87f8ab021df7e0dce1d3249aaea764

Download Submit
C:\Users\Admin\AppData\Local\Temp\54741.exe

Filesize
1.7MB

MD5
fc50da6d7611c0388542345af32164ea

SHA1
38a940871565a966749508eb2dd746ce2b5adb09

SHA256
32eda0605fb448ee351e12fcb06cc14a45a8d3a1d5c0cbd68c16bdd993873b24

SHA512
dbef20f58feeba7e4503fd0594908b723df7790342414cf076c77a4d84281a8af4a88e65feafd76d7a4836f3092d76708a87f8ab021df7e0dce1d3249aaea764

Download Submit
C:\Users\Admin\AppData\Local\Temp\g.exe

Filesize
1.4MB

MD5
c2fb7cd0cd6ed34e9ecebec33e4b2977

SHA1
ba46fecd84c4b138f3cbe6074539f2ca95ab9e36

SHA256
83ac1f2ae2aed80455750c99992559f009ba2bcf450d21d7fd74b52c4149de71

SHA512
d7bf5d2b68304a7c2076e4d60d1fd772a617a25eadbc255920f6f64001edf053dca8fd948326ce1b99b3facef000493867c4c8743d350ad48dec2b8cf6adb551

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.exe

Filesize
2.4MB

MD5
f9553db053dc46b78d5df4250b7eb856

SHA1
5746f285f9ded98b81c653afd13167d117f503a0

SHA256
797087014be1f103e61780d6061c0fc34ce5e899158d924221523d6d372ee5fb

SHA512
da388a8aab24924b9b4d7a86cf4496e9159c1f5ca6e15d0fed61d73ca381ea19b2b8a3830f9812ce54b634cd0b15b24eaf13e23018ba8cb6be72b9e7205f011f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.exe

Filesize
1.3MB

MD5
82b89beccee5a94ed7b5e658378a2ab9

SHA1
0bfb7aa1c4186278b202e0d2fae5a5374a563454

SHA256
27647e78a83d0ec40696f05d8d8cfbafbcfb778c9301c368991320a0e9c12428

SHA512
a5b990dd74f4ab39a5465f515dde824da0f2fc43121c51b7469c29d49d5a439c74353a3e18c1015092615e5eb2c0cf21ead43930ce71a2359ed40442ca7e38ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
2.5MB

MD5
40badae91f0c7250d2c230f4d3ca2266

SHA1
eeec6634aa7ea776d76cf5f0b904e31a64caf05c

SHA256
5a5db1b91bfbd2b4ce79745651bfaa120bcf4d0c6cc1aeccfbae852df176c3f7

SHA512
3ba66cb90347ffe28b35fe775203af9b9e1c66c612a0cf12bb9d029d79f863e153d9fbb9020a7299f54567b6003b0cd680759a9cb64409509ddf1b49804c99e9

Download Submit
\Users\Admin\AppData\Local\Temp\54741.exe

Filesize
1.7MB

MD5
fc50da6d7611c0388542345af32164ea

SHA1
38a940871565a966749508eb2dd746ce2b5adb09

SHA256
32eda0605fb448ee351e12fcb06cc14a45a8d3a1d5c0cbd68c16bdd993873b24

SHA512
dbef20f58feeba7e4503fd0594908b723df7790342414cf076c77a4d84281a8af4a88e65feafd76d7a4836f3092d76708a87f8ab021df7e0dce1d3249aaea764

Download Submit
\Users\Admin\AppData\Local\Temp\g.exe

Filesize
1.4MB

MD5
c2fb7cd0cd6ed34e9ecebec33e4b2977

SHA1
ba46fecd84c4b138f3cbe6074539f2ca95ab9e36

SHA256
83ac1f2ae2aed80455750c99992559f009ba2bcf450d21d7fd74b52c4149de71

SHA512
d7bf5d2b68304a7c2076e4d60d1fd772a617a25eadbc255920f6f64001edf053dca8fd948326ce1b99b3facef000493867c4c8743d350ad48dec2b8cf6adb551

Download Submit
\Users\Admin\AppData\Local\Temp\g.exe

Filesize
1.4MB

MD5
c2fb7cd0cd6ed34e9ecebec33e4b2977

SHA1
ba46fecd84c4b138f3cbe6074539f2ca95ab9e36

SHA256
83ac1f2ae2aed80455750c99992559f009ba2bcf450d21d7fd74b52c4149de71

SHA512
d7bf5d2b68304a7c2076e4d60d1fd772a617a25eadbc255920f6f64001edf053dca8fd948326ce1b99b3facef000493867c4c8743d350ad48dec2b8cf6adb551

Download Submit
\Users\Admin\AppData\Local\Temp\r.exe

Filesize
2.4MB

MD5
f9553db053dc46b78d5df4250b7eb856

SHA1
5746f285f9ded98b81c653afd13167d117f503a0

SHA256
797087014be1f103e61780d6061c0fc34ce5e899158d924221523d6d372ee5fb

SHA512
da388a8aab24924b9b4d7a86cf4496e9159c1f5ca6e15d0fed61d73ca381ea19b2b8a3830f9812ce54b634cd0b15b24eaf13e23018ba8cb6be72b9e7205f011f

Download Submit
\Users\Admin\AppData\Local\Temp\r.exe

Filesize
2.4MB

MD5
f9553db053dc46b78d5df4250b7eb856

SHA1
5746f285f9ded98b81c653afd13167d117f503a0

SHA256
797087014be1f103e61780d6061c0fc34ce5e899158d924221523d6d372ee5fb

SHA512
da388a8aab24924b9b4d7a86cf4496e9159c1f5ca6e15d0fed61d73ca381ea19b2b8a3830f9812ce54b634cd0b15b24eaf13e23018ba8cb6be72b9e7205f011f

Download Submit
\Users\Admin\AppData\Local\Temp\v.exe

Filesize
1.3MB

MD5
82b89beccee5a94ed7b5e658378a2ab9

SHA1
0bfb7aa1c4186278b202e0d2fae5a5374a563454

SHA256
27647e78a83d0ec40696f05d8d8cfbafbcfb778c9301c368991320a0e9c12428

SHA512
a5b990dd74f4ab39a5465f515dde824da0f2fc43121c51b7469c29d49d5a439c74353a3e18c1015092615e5eb2c0cf21ead43930ce71a2359ed40442ca7e38ee

Download Submit
\Users\Admin\AppData\Local\Temp\v.exe

Filesize
1.3MB

MD5
82b89beccee5a94ed7b5e658378a2ab9

SHA1
0bfb7aa1c4186278b202e0d2fae5a5374a563454

SHA256
27647e78a83d0ec40696f05d8d8cfbafbcfb778c9301c368991320a0e9c12428

SHA512
a5b990dd74f4ab39a5465f515dde824da0f2fc43121c51b7469c29d49d5a439c74353a3e18c1015092615e5eb2c0cf21ead43930ce71a2359ed40442ca7e38ee

Download Submit
\Users\Admin\AppData\Local\Temp\x.exe

Filesize
2.5MB

MD5
40badae91f0c7250d2c230f4d3ca2266

SHA1
eeec6634aa7ea776d76cf5f0b904e31a64caf05c

SHA256
5a5db1b91bfbd2b4ce79745651bfaa120bcf4d0c6cc1aeccfbae852df176c3f7

SHA512
3ba66cb90347ffe28b35fe775203af9b9e1c66c612a0cf12bb9d029d79f863e153d9fbb9020a7299f54567b6003b0cd680759a9cb64409509ddf1b49804c99e9

Download Submit
\Users\Admin\AppData\Local\Temp\x.exe

Filesize
2.5MB

MD5
40badae91f0c7250d2c230f4d3ca2266

SHA1
eeec6634aa7ea776d76cf5f0b904e31a64caf05c

SHA256
5a5db1b91bfbd2b4ce79745651bfaa120bcf4d0c6cc1aeccfbae852df176c3f7

SHA512
3ba66cb90347ffe28b35fe775203af9b9e1c66c612a0cf12bb9d029d79f863e153d9fbb9020a7299f54567b6003b0cd680759a9cb64409509ddf1b49804c99e9

Download Submit
memory/1392-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1744-62-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-61-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/610776-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/610776-108-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/610776-109-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/717024-112-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/717024-122-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/717024-121-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/723892-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/723892-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/723892-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/723892-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/743764-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/743764-106-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/743764-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/743764-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download