redline | 20604c0a935b40dae9f6f791deddf9f6c37524d6bbfb90b1ee7e6a6b339c61a9

Analysis

max time kernel
45s
max time network
54s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
08-08-2022 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader2.exe
Size

4.6MB
MD5

8b748c19d519e352be4672fbc6b3561d
SHA1

ec7068896649caac57a04bf0fc101ddb4749861c
SHA256

b95da2213bec289569d3d68a8e461b74b78c86dfcc1f5a794dceec5de1b6a811
SHA512

f59964ccc2f3552e006a9ff1592aec7747d5355c053d9dd24e3fb5e907990e2339c6d37ea96243af88ceed8bd63318444143231f7d37b7966092be23e903833b

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

185.200.191.18:80

Attributes

auth_value
c7fe4e520a2358e148de28eb0d3f7a5e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/188324-66-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral3/memory/188324-71-0x00000000000AA7CE-mapping.dmp	family_redline
behavioral3/memory/188324-73-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral3/memory/188324-72-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1340-75-0x00000000002A0000-0x00000000010B2000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

@bat9_v_zdanii_crypted.exe1007820897.exeStarter.exe

pid process

2020 @bat9_v_zdanii_crypted.exe
1340 1007820897.exe
364 Starter.exe

pid	process
2020	@bat9_v_zdanii_crypted.exe
1340	1007820897.exe
364	Starter.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\1007820897.exe	upx
\Users\Admin\AppData\Roaming\1007820897.exe	upx
C:\Users\Admin\AppData\Roaming\1007820897.exe	upx
behavioral3/memory/1340-63-0x00000000002A0000-0x00000000010B2000-memory.dmp	upx
behavioral3/memory/1340-75-0x00000000002A0000-0x00000000010B2000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

Loader2.exeAppLaunch.exe

pid process

1836 Loader2.exe
1836 Loader2.exe
1836 Loader2.exe
1836 Loader2.exe
188324 AppLaunch.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

@bat9_v_zdanii_crypted.exe

description pid process target process

PID 2020 set thread context of 188324 2020 @bat9_v_zdanii_crypted.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AppLaunch.exe

pid process

188324 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exeStarter.exe

description pid process

Token: SeDebugPrivilege 188324 AppLaunch.exe
Token: SeDebugPrivilege 364 Starter.exe

pid	process
1836	Loader2.exe
1836	Loader2.exe
1836	Loader2.exe
1836	Loader2.exe
188324	AppLaunch.exe

description	pid	process	target process
PID 2020 set thread context of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe

pid	process
188324	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	188324	AppLaunch.exe
Token: SeDebugPrivilege	364	Starter.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Loader2.exe@bat9_v_zdanii_crypted.exeAppLaunch.exe

description	pid	process	target process
PID 1836 wrote to memory of 2020	1836	Loader2.exe	@bat9_v_zdanii_crypted.exe
PID 1836 wrote to memory of 2020	1836	Loader2.exe	@bat9_v_zdanii_crypted.exe
PID 1836 wrote to memory of 2020	1836	Loader2.exe	@bat9_v_zdanii_crypted.exe
PID 1836 wrote to memory of 2020	1836	Loader2.exe	@bat9_v_zdanii_crypted.exe
PID 1836 wrote to memory of 1340	1836	Loader2.exe	1007820897.exe
PID 1836 wrote to memory of 1340	1836	Loader2.exe	1007820897.exe
PID 1836 wrote to memory of 1340	1836	Loader2.exe	1007820897.exe
PID 1836 wrote to memory of 1340	1836	Loader2.exe	1007820897.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 2020 wrote to memory of 188324	2020	@bat9_v_zdanii_crypted.exe	AppLaunch.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe
PID 188324 wrote to memory of 364	188324	AppLaunch.exe	Starter.exe

C:\Users\Admin\AppData\Local\Temp\Loader2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Roaming\@bat9_v_zdanii_crypted.exe
C:\Users\Admin\AppData\Roaming\@bat9_v_zdanii_crypted.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188324

C:\Users\Admin\AppData\Local\Temp\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Starter.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Users\Admin\AppData\Roaming\1007820897.exe
C:\Users\Admin\AppData\Roaming\1007820897.exe
2⤵
- Executes dropped EXE
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
3d41fe66e7592eb35c5ef99a83fce2a4

SHA1
5dc2984ceb1a169b5571267159c43f1b0e5d757d

SHA256
7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

SHA512
9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
3d41fe66e7592eb35c5ef99a83fce2a4

SHA1
5dc2984ceb1a169b5571267159c43f1b0e5d757d

SHA256
7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

SHA512
9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

Download Submit
C:\Users\Admin\AppData\Roaming\1007820897.exe

Filesize
4.0MB

MD5
17fa7aff7201cf79ea793dc6f746b39c

SHA1
0f4b73f05e681a5fe58f38dcb762bafabd30ceff

SHA256
dc140ad2600b12c84abe85507e95817b672ec7b82889cd4e2abcb2a0b7261f95

SHA512
b5da4cc4adfe5de6f883d4748b209c68cff94cff98548ed7f9a75e6ea66d2d83e53989fd020094c517c1d0087d8f0697ffa4b00a686ed5c61c1a7aa8a6610a9a

Download Submit
C:\Users\Admin\AppData\Roaming\@bat9_v_zdanii_crypted.exe

Filesize
995KB

MD5
e2249292561cf6855efd151e5c5974b3

SHA1
817d987a5a7666482cda05c559c25db42fa6a0ee

SHA256
0d97e3c1a524343815209676b634d51e8665f3d68628adc6b7870f1e47df8627

SHA512
8db21f73e6f564f8d88c04c46e0c8dc276f4b7b9290b09fbaf2cd2f948316c36e6be57defe493a2192b1627d821559645388502a288b10faa169f59bfe9d9602

Download Submit
\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
3d41fe66e7592eb35c5ef99a83fce2a4

SHA1
5dc2984ceb1a169b5571267159c43f1b0e5d757d

SHA256
7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

SHA512
9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

Download Submit
\Users\Admin\AppData\Roaming\1007820897.exe

Filesize
4.0MB

MD5
17fa7aff7201cf79ea793dc6f746b39c

SHA1
0f4b73f05e681a5fe58f38dcb762bafabd30ceff

SHA256
dc140ad2600b12c84abe85507e95817b672ec7b82889cd4e2abcb2a0b7261f95

SHA512
b5da4cc4adfe5de6f883d4748b209c68cff94cff98548ed7f9a75e6ea66d2d83e53989fd020094c517c1d0087d8f0697ffa4b00a686ed5c61c1a7aa8a6610a9a

Download Submit
\Users\Admin\AppData\Roaming\1007820897.exe

Filesize
4.0MB

MD5
17fa7aff7201cf79ea793dc6f746b39c

SHA1
0f4b73f05e681a5fe58f38dcb762bafabd30ceff

SHA256
dc140ad2600b12c84abe85507e95817b672ec7b82889cd4e2abcb2a0b7261f95

SHA512
b5da4cc4adfe5de6f883d4748b209c68cff94cff98548ed7f9a75e6ea66d2d83e53989fd020094c517c1d0087d8f0697ffa4b00a686ed5c61c1a7aa8a6610a9a

Download Submit
\Users\Admin\AppData\Roaming\@bat9_v_zdanii_crypted.exe

Filesize
995KB

MD5
e2249292561cf6855efd151e5c5974b3

SHA1
817d987a5a7666482cda05c559c25db42fa6a0ee

SHA256
0d97e3c1a524343815209676b634d51e8665f3d68628adc6b7870f1e47df8627

SHA512
8db21f73e6f564f8d88c04c46e0c8dc276f4b7b9290b09fbaf2cd2f948316c36e6be57defe493a2192b1627d821559645388502a288b10faa169f59bfe9d9602

Download Submit
\Users\Admin\AppData\Roaming\@bat9_v_zdanii_crypted.exe

Filesize
995KB

MD5
e2249292561cf6855efd151e5c5974b3

SHA1
817d987a5a7666482cda05c559c25db42fa6a0ee

SHA256
0d97e3c1a524343815209676b634d51e8665f3d68628adc6b7870f1e47df8627

SHA512
8db21f73e6f564f8d88c04c46e0c8dc276f4b7b9290b09fbaf2cd2f948316c36e6be57defe493a2192b1627d821559645388502a288b10faa169f59bfe9d9602

Download Submit
memory/364-81-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/364-77-0x0000000000000000-mapping.dmp

Download
memory/1340-75-0x00000000002A0000-0x00000000010B2000-memory.dmp

Filesize
14.1MB

Download
memory/1340-63-0x00000000002A0000-0x00000000010B2000-memory.dmp

Filesize
14.1MB

Download
memory/1340-61-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download
memory/188324-71-0x00000000000AA7CE-mapping.dmp

Download
memory/188324-73-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/188324-72-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/188324-66-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/188324-64-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download