redline | 4a769984457abcc5b0bb2bceca85ad8489ae25a61e477fbe870e9ac7a09d3e38

Analysis

max time kernel
69s
max time network
72s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
06/08/2022, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.exe
Size

357KB
MD5

f00689d1936bb064e915253da5b9d0f0
SHA1

94126b2448cd2f140d892eab9832e82161e225af
SHA256

4a769984457abcc5b0bb2bceca85ad8489ae25a61e477fbe870e9ac7a09d3e38
SHA512

7de6ebf819591f9fa71042740ba81510766896ec578c505b7c6dd19f0b18e26a8fa02e42a0c8dd50e79f9c362a095e54c8a71acf85d07546861e21cbf283d64b

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

185.215.113.23:15912

Attributes

auth_value
461a78774ac2e3e15e3a9b271b4491ac

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/190060-121-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/190060-126-0x000000000041B50E-mapping.dmp	family_redline
behavioral1/memory/1312-136-0x00000000000F0000-0x000000000014B000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/190288-609-0x0000000000F80000-0x0000000001D58000-memory.dmp	family_ytstealer
behavioral1/memory/190288-612-0x0000000000F80000-0x0000000001D58000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
190288	filename.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ac04-601.dat	upx
behavioral1/files/0x000600000001ac04-602.dat	upx
behavioral1/memory/190288-608-0x0000000000F80000-0x0000000001D58000-memory.dmp	upx
behavioral1/memory/190288-609-0x0000000000F80000-0x0000000001D58000-memory.dmp	upx
behavioral1/memory/190288-612-0x0000000000F80000-0x0000000001D58000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 190060	1312	start.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
190140	1312	WerFault.exe	65

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
190060	AppLaunch.exe
190288	filename.exe
190288	filename.exe
190288	filename.exe
190288	filename.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	190060	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 190060	1312	start.exe	67
PID 1312 wrote to memory of 190060	1312	start.exe	67
PID 1312 wrote to memory of 190060	1312	start.exe	67
PID 1312 wrote to memory of 190060	1312	start.exe	67
PID 1312 wrote to memory of 190060	1312	start.exe	67
PID 190060 wrote to memory of 190288	190060	AppLaunch.exe	71
PID 190060 wrote to memory of 190288	190060	AppLaunch.exe	71
PID 190288 wrote to memory of 190588	190288	filename.exe	75
PID 190288 wrote to memory of 190588	190288	filename.exe	75
PID 190588 wrote to memory of 190624	190588	cmd.exe	77
PID 190588 wrote to memory of 190624	190588	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:190060
- - C:\Users\Admin\AppData\Local\Temp\filename.exe
    "C:\Users\Admin\AppData\Local\Temp\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:190288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\filename.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:190588
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:190624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 187108
  2⤵
  - Program crash
  PID:190140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
4.0MB

MD5
3bcf5e8abe826566ad59a780abce7b87

SHA1
dac990aa2d242cddb7027a240c35ea4d45b575b9

SHA256
6a379a2c6dde2a4e27b3239967bc2ccaf9d41788aa904ee68d2a2de16380a624

SHA512
ba01fc56f06f3e02ae47b664c1d9abdf9f04872b912f7c914242fca57e34fdcb4313220892291a704df85adcf22390a71cfc275b5dd912176ddf015e6ae86052

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
4.0MB

MD5
3bcf5e8abe826566ad59a780abce7b87

SHA1
dac990aa2d242cddb7027a240c35ea4d45b575b9

SHA256
6a379a2c6dde2a4e27b3239967bc2ccaf9d41788aa904ee68d2a2de16380a624

SHA512
ba01fc56f06f3e02ae47b664c1d9abdf9f04872b912f7c914242fca57e34fdcb4313220892291a704df85adcf22390a71cfc275b5dd912176ddf015e6ae86052

Download Submit
memory/1312-115-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1312-116-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1312-117-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1312-118-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1312-119-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1312-120-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/1312-136-0x00000000000F0000-0x000000000014B000-memory.dmp

Filesize
364KB

Download
memory/190060-121-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/190060-127-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-128-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-129-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-130-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-131-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-133-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-134-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-137-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-138-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-139-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-140-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-141-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-142-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-143-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-144-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-145-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-146-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-147-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-149-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-148-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-150-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-151-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-152-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-153-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-154-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-155-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-156-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-157-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-158-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-159-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-161-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-162-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-163-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-164-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-165-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-166-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-167-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-168-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-169-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-170-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-171-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-172-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-173-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-174-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-175-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-176-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-178-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-177-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-179-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-180-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-181-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-182-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-183-0x0000000009AD0000-0x000000000A0D6000-memory.dmp

Filesize
6.0MB

Download
memory/190060-184-0x0000000009520000-0x0000000009532000-memory.dmp

Filesize
72KB

Download
memory/190060-185-0x0000000009650000-0x000000000975A000-memory.dmp

Filesize
1.0MB

Download
memory/190060-186-0x0000000077050000-0x00000000771DE000-memory.dmp

Filesize
1.6MB

Download
memory/190060-188-0x0000000009580000-0x00000000095BE000-memory.dmp

Filesize
248KB

Download
memory/190060-190-0x00000000095E0000-0x000000000962B000-memory.dmp

Filesize
300KB

Download
memory/190060-201-0x00000000098C0000-0x0000000009926000-memory.dmp

Filesize
408KB

Download
memory/190060-209-0x000000000A8E0000-0x000000000ADDE000-memory.dmp

Filesize
5.0MB

Download
memory/190060-212-0x000000000A460000-0x000000000A4D6000-memory.dmp

Filesize
472KB

Download
memory/190060-213-0x000000000A580000-0x000000000A612000-memory.dmp

Filesize
584KB

Download
memory/190060-217-0x000000000A840000-0x000000000A85E000-memory.dmp

Filesize
120KB

Download
memory/190060-226-0x000000000AFB0000-0x000000000B172000-memory.dmp

Filesize
1.8MB

Download
memory/190060-227-0x000000000B6B0000-0x000000000BBDC000-memory.dmp

Filesize
5.2MB

Download
memory/190288-608-0x0000000000F80000-0x0000000001D58000-memory.dmp

Filesize
13.8MB

Download
memory/190288-609-0x0000000000F80000-0x0000000001D58000-memory.dmp

Filesize
13.8MB

Download
memory/190288-612-0x0000000000F80000-0x0000000001D58000-memory.dmp

Filesize
13.8MB

Download