redline | 82a257f1ae25b44d4e7f6cf5f2fa090167e0eef5eea8c29483bf395915e60f77

Analysis

max time kernel
55s
max time network
54s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
10/08/2022, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

3.9MB
MD5

853520ad456c09eefe8ee74bd0347d98
SHA1

9cd02b1a635eb026ce5a2ac4097f539fc4a172b2
SHA256

82a257f1ae25b44d4e7f6cf5f2fa090167e0eef5eea8c29483bf395915e60f77
SHA512

e333dbd3505df34da5a1ff7ef336c60a990f632defe7f3869724d098e9b7c024b8a61d4efd10b373c6f7665d8e8fc1453bf8011627fe87ec6a05d5ccdd1923ff

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
b23dc891e63fa34396c9c6001de146e2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/976-54-0x0000000000400000-0x0000000000AA4000-memory.dmp	family_redline
behavioral1/memory/43208-61-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/43208-66-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/43208-67-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/43208-68-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/43200-83-0x0000000000B80000-0x0000000001959000-memory.dmp	family_ytstealer
behavioral1/memory/43200-90-0x0000000000B80000-0x0000000001959000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
43036	MainModule.exe
43200	start.exe
1184	crypted.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000139d4-77.dat	upx
behavioral1/files/0x00080000000139d4-78.dat	upx
behavioral1/files/0x00080000000139d4-80.dat	upx
behavioral1/memory/43200-83-0x0000000000B80000-0x0000000001959000-memory.dmp	upx
behavioral1/memory/43200-90-0x0000000000B80000-0x0000000001959000-memory.dmp	upx
behavioral1/files/0x00080000000139d4-92.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
43208	AppLaunch.exe
43208	AppLaunch.exe
43208	AppLaunch.exe
43208	AppLaunch.exe
43208	AppLaunch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 43208	976	Loader.exe	28

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
43208	AppLaunch.exe
43036	MainModule.exe
43200	start.exe
43200	start.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	43208	AppLaunch.exe
Token: SeDebugPrivilege	43036	MainModule.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 976 wrote to memory of 43208	976	Loader.exe	28
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43036	43208	AppLaunch.exe	30
PID 43208 wrote to memory of 43200	43208	AppLaunch.exe	31
PID 43208 wrote to memory of 43200	43208	AppLaunch.exe	31
PID 43208 wrote to memory of 43200	43208	AppLaunch.exe	31
PID 43208 wrote to memory of 43200	43208	AppLaunch.exe	31
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43208 wrote to memory of 1184	43208	AppLaunch.exe	32
PID 43200 wrote to memory of 1548	43200	start.exe	33
PID 43200 wrote to memory of 1548	43200	start.exe	33
PID 43200 wrote to memory of 1548	43200	start.exe	33
PID 1548 wrote to memory of 1404	1548	cmd.exe	35
PID 1548 wrote to memory of 1404	1548	cmd.exe	35
PID 1548 wrote to memory of 1404	1548	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:43208
- - C:\Users\Admin\AppData\Local\Temp\MainModule.exe
    "C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:43036
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:43200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:1404
- - C:\Users\Admin\AppData\Local\Temp\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
    3⤵
    - Executes dropped EXE
    PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
ef2b8152ff8b1abaa9772db14084e146

SHA1
df018e192e96b4e78fe363bad14870c0609b31bc

SHA256
95aee869076b042ee22f70b0a1fd9c1d968db88400042b971bdee82226d3fa9c

SHA512
a4ab1a7f781c52821076d42af93646e4a837d99dde63e36374dda554b81206c780e83a3a80b51b17e1648d55ccc883bb4507c3be712725dc50b1d96021376e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
ef2b8152ff8b1abaa9772db14084e146

SHA1
df018e192e96b4e78fe363bad14870c0609b31bc

SHA256
95aee869076b042ee22f70b0a1fd9c1d968db88400042b971bdee82226d3fa9c

SHA512
a4ab1a7f781c52821076d42af93646e4a837d99dde63e36374dda554b81206c780e83a3a80b51b17e1648d55ccc883bb4507c3be712725dc50b1d96021376e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
ef2b8152ff8b1abaa9772db14084e146

SHA1
df018e192e96b4e78fe363bad14870c0609b31bc

SHA256
95aee869076b042ee22f70b0a1fd9c1d968db88400042b971bdee82226d3fa9c

SHA512
a4ab1a7f781c52821076d42af93646e4a837d99dde63e36374dda554b81206c780e83a3a80b51b17e1648d55ccc883bb4507c3be712725dc50b1d96021376e76

Download Submit
\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
memory/976-54-0x0000000000400000-0x0000000000AA4000-memory.dmp

Filesize
6.6MB

Download
memory/1184-93-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1184-95-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1184-94-0x000000000A7A0000-0x000000000A7A8000-memory.dmp

Filesize
32KB

Download
memory/43036-76-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/43036-75-0x00000000010D0000-0x00000000010E8000-memory.dmp

Filesize
96KB

Download
memory/43200-83-0x0000000000B80000-0x0000000001959000-memory.dmp

Filesize
13.8MB

Download
memory/43200-90-0x0000000000B80000-0x0000000001959000-memory.dmp

Filesize
13.8MB

Download
memory/43208-82-0x00000000075A0000-0x0000000008379000-memory.dmp

Filesize
13.8MB

Download
memory/43208-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/43208-81-0x00000000075A0000-0x0000000008379000-memory.dmp

Filesize
13.8MB

Download
memory/43208-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/43208-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/43208-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/43208-69-0x0000000076631000-0x0000000076633000-memory.dmp

Filesize
8KB

Download