redline | 680f28fc36441a05ef4a4a19b64ee60c73c2fb9653d26b028d64e93aba781b32

Analysis

max time kernel
123s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
12-08-2022 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe
Size

2.5MB
MD5

b93ca6dd6a570b6737c161a6c02e4c47
SHA1

d97c8f1fa60237963a61b2320aa43c01b8987634
SHA256

680f28fc36441a05ef4a4a19b64ee60c73c2fb9653d26b028d64e93aba781b32
SHA512

37728d2af479067109ae9177b1a4a19e9f40bead9ed112e5b52bf4618b97f8a620597ff4e66e464196076321513a069d709f62ea92ae179c23a18296ef8c88c6

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

185.215.113.23:15912

Attributes

auth_value
ca11d6bb68385493a28fdddb02897eaf

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/211172-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/211172-138-0x000000000041B4CE-mapping.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-620-0x00000000011C0000-0x0000000001FD2000-memory.dmp	family_ytstealer
behavioral2/memory/3104-637-0x00000000011C0000-0x0000000001FD2000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

filename.exe

pid process

3104 filename.exe

pid	process
3104	filename.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\filename.exe	upx
C:\Users\Admin\AppData\Local\Temp\filename.exe	upx
behavioral2/memory/3104-619-0x00000000011C0000-0x0000000001FD2000-memory.dmp	upx
behavioral2/memory/3104-620-0x00000000011C0000-0x0000000001FD2000-memory.dmp	upx
behavioral2/memory/3104-637-0x00000000011C0000-0x0000000001FD2000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe

description	pid	process	target process
PID 2240 set thread context of 211172	2240	680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AppLaunch.exepowershell.exe

pid process

211172 AppLaunch.exe
812 powershell.exe
812 powershell.exe
812 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exepowershell.exe

description pid process

Token: SeDebugPrivilege 211172 AppLaunch.exe
Token: SeDebugPrivilege 812 powershell.exe

pid	process
211172	AppLaunch.exe
812	powershell.exe
812	powershell.exe
812	powershell.exe

description	pid	process
Token: SeDebugPrivilege	211172	AppLaunch.exe
Token: SeDebugPrivilege	812	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exeAppLaunch.exefilename.exe

description	pid	process	target process
PID 2240 wrote to memory of 211172	2240	680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe	AppLaunch.exe
PID 2240 wrote to memory of 211172	2240	680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe	AppLaunch.exe
PID 2240 wrote to memory of 211172	2240	680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe	AppLaunch.exe
PID 2240 wrote to memory of 211172	2240	680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe	AppLaunch.exe
PID 2240 wrote to memory of 211172	2240	680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe	AppLaunch.exe
PID 211172 wrote to memory of 3104	211172	AppLaunch.exe	filename.exe
PID 211172 wrote to memory of 3104	211172	AppLaunch.exe	filename.exe
PID 3104 wrote to memory of 812	3104	filename.exe	powershell.exe
PID 3104 wrote to memory of 812	3104	filename.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe
"C:\Users\Admin\AppData\Local\Temp\680F28FC36441A05EF4A4A19B64EE60C73C2FB9653D26B028D64E93ABA781B32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:211172

C:\Users\Admin\AppData\Local\Temp\filename.exe
"C:\Users\Admin\AppData\Local\Temp\filename.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
4.0MB

MD5
6452e14763ae943f8e556f65c09473eb

SHA1
290981d61d73c696b475c8fefed323b569418bde

SHA256
bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e

SHA512
44ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
4.0MB

MD5
6452e14763ae943f8e556f65c09473eb

SHA1
290981d61d73c696b475c8fefed323b569418bde

SHA256
bc35c66b1be35a701e70388789b6446093fa71716801c8828c3f363eee1a183e

SHA512
44ac3be1c66b734a908a88c79df310788dd5edd1e8bbaa577682459163fa347282a937d4d4d48710e1a1f08e89ca8d4674cbdbc51e015539dce4509645727796

Download Submit
memory/812-621-0x0000000000000000-mapping.dmp

Download
memory/812-626-0x0000015AD9020000-0x0000015AD9042000-memory.dmp

Filesize
136KB

Download
memory/812-629-0x0000015AD91D0000-0x0000015AD9246000-memory.dmp

Filesize
472KB

Download
memory/2240-128-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-129-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-122-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-123-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-124-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-127-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-126-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-120-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-125-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-121-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-130-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-131-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-132-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-117-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-118-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/2240-119-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/3104-637-0x00000000011C0000-0x0000000001FD2000-memory.dmp

Filesize
14.1MB

Download
memory/3104-620-0x00000000011C0000-0x0000000001FD2000-memory.dmp

Filesize
14.1MB

Download
memory/3104-619-0x00000000011C0000-0x0000000001FD2000-memory.dmp

Filesize
14.1MB

Download
memory/3104-611-0x0000000000000000-mapping.dmp

Download
memory/211172-158-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-173-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-143-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-145-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-146-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-148-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-149-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-150-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-151-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-152-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-153-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-154-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-155-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-156-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-157-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-141-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-159-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-160-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-161-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-162-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-163-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-164-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-165-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-166-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-167-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-168-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-169-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-170-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-172-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-142-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-174-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-175-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-176-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-177-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-178-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-179-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-180-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-181-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-182-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-183-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-184-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-194-0x0000000009200000-0x0000000009806000-memory.dmp

Filesize
6.0MB

Download
memory/211172-195-0x0000000008C60000-0x0000000008C72000-memory.dmp

Filesize
72KB

Download
memory/211172-196-0x0000000008D90000-0x0000000008E9A000-memory.dmp

Filesize
1.0MB

Download
memory/211172-199-0x0000000008CC0000-0x0000000008CFE000-memory.dmp

Filesize
248KB

Download
memory/211172-201-0x0000000008D00000-0x0000000008D4B000-memory.dmp

Filesize
300KB

Download
memory/211172-212-0x0000000009050000-0x00000000090B6000-memory.dmp

Filesize
408KB

Download
memory/211172-220-0x000000000A010000-0x000000000A50E000-memory.dmp

Filesize
5.0MB

Download
memory/211172-140-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-139-0x00000000771B0000-0x000000007733E000-memory.dmp

Filesize
1.6MB

Download
memory/211172-138-0x000000000041B4CE-mapping.dmp

Download
memory/211172-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/211172-223-0x0000000009BA0000-0x0000000009C16000-memory.dmp

Filesize
472KB

Download
memory/211172-224-0x0000000009CC0000-0x0000000009D52000-memory.dmp

Filesize
584KB

Download
memory/211172-228-0x0000000009D60000-0x0000000009D7E000-memory.dmp

Filesize
120KB

Download
memory/211172-483-0x000000000A8E0000-0x000000000AAA2000-memory.dmp

Filesize
1.8MB

Download
memory/211172-484-0x000000000AFE0000-0x000000000B50C000-memory.dmp

Filesize
5.2MB

Download