redline | aaffd1b06ad080670e8cf627c0f0c4e961a8be4fefcc0910a30d726855669234

General

Target

AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe
Size

2.5MB
MD5

124d1f6dad8e6dd823ab9c96cab8f113
SHA1

717bfa0241abfa8fa744e16f80d6fde99ad0b243
SHA256

aaffd1b06ad080670e8cf627c0f0c4e961a8be4fefcc0910a30d726855669234
SHA512

7050d5073df91855ee7c5ec60de48861cac5e2bd6cb9beb26a7bdccc967ea35cf70f91a37aae2a794fd4d83613b0d23dfabbe3cbd67b889881d9c423ab2d8772

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

C2

185.215.113.83:60722

Attributes

auth_value
ee9d4f10e44838ce0db5ea42cecb58a9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/209352-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/209352-61-0x000000000041B4EE-mapping.dmp	family_redline
behavioral1/memory/209352-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/209352-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/209692-77-0x0000000001130000-0x0000000001F09000-memory.dmp	family_ytstealer
behavioral1/memory/209692-81-0x0000000001130000-0x0000000001F09000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Starter.exestart.exe

pid process

209640 Starter.exe
209692 start.exe

pid	process
209640	Starter.exe
209692	start.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\start.exe	upx
\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral1/memory/209692-77-0x0000000001130000-0x0000000001F09000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral1/memory/209692-81-0x0000000001130000-0x0000000001F09000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

AppLaunch.exe

pid process

209352 AppLaunch.exe
209352 AppLaunch.exe
209352 AppLaunch.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
209352	AppLaunch.exe
209352	AppLaunch.exe
209352	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe

description	pid	process	target process
PID 1680 set thread context of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exestart.exe

pid process

209352 AppLaunch.exe
209692 start.exe
209692 start.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exeStarter.exe

description pid process

Token: SeDebugPrivilege 209352 AppLaunch.exe
Token: SeDebugPrivilege 209640 Starter.exe

pid	process
209352	AppLaunch.exe
209692	start.exe
209692	start.exe

description	pid	process
Token: SeDebugPrivilege	209352	AppLaunch.exe
Token: SeDebugPrivilege	209640	Starter.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exeAppLaunch.exestart.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 1680 wrote to memory of 209352	1680	AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe	AppLaunch.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209640	209352	AppLaunch.exe	Starter.exe
PID 209352 wrote to memory of 209692	209352	AppLaunch.exe	start.exe
PID 209352 wrote to memory of 209692	209352	AppLaunch.exe	start.exe
PID 209352 wrote to memory of 209692	209352	AppLaunch.exe	start.exe
PID 209352 wrote to memory of 209692	209352	AppLaunch.exe	start.exe
PID 209692 wrote to memory of 209904	209692	start.exe	cmd.exe
PID 209692 wrote to memory of 209904	209692	start.exe	cmd.exe
PID 209692 wrote to memory of 209904	209692	start.exe	cmd.exe
PID 209904 wrote to memory of 209372	209904	cmd.exe	choice.exe
PID 209904 wrote to memory of 209372	209904	cmd.exe	choice.exe
PID 209904 wrote to memory of 209372	209904	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe
"C:\Users\Admin\AppData\Local\Temp\AAFFD1B06AD080670E8CF627C0F0C4E961A8BE4FEFCC0910A30D726855669234.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:209352

C:\Users\Admin\AppData\Local\Temp\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Starter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:209640

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:209692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:209904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:209372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Starter.exe
Filesize
18KB

MD5
3d41fe66e7592eb35c5ef99a83fce2a4

SHA1
5dc2984ceb1a169b5571267159c43f1b0e5d757d

SHA256
7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

SHA512
9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.exe
Filesize
18KB

MD5
3d41fe66e7592eb35c5ef99a83fce2a4

SHA1
5dc2984ceb1a169b5571267159c43f1b0e5d757d

SHA256
7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

SHA512
9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
\Users\Admin\AppData\Local\Temp\Starter.exe
Filesize
18KB

MD5
3d41fe66e7592eb35c5ef99a83fce2a4

SHA1
5dc2984ceb1a169b5571267159c43f1b0e5d757d

SHA256
7c58039db066e640a338ac6180adcf0b45cbfb9adaa7ae3b279d4628159c4198

SHA512
9ac687f2278f19265ae361eee6bbbe0234fed0d9b16c9f4524af8c9e1e131a51fddfa0a19cbbda9feb0b5ccf22ffaad97d5c425f179cb7d920dba66ad7f4e285

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe
Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe
Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
memory/209352-75-0x00000000067D0000-0x00000000075A9000-memory.dmp

Filesize
13.8MB

Download
memory/209352-64-0x0000000076901000-0x0000000076903000-memory.dmp

Filesize
8KB

Download
memory/209352-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/209352-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/209352-61-0x000000000041B4EE-mapping.dmp

Download
memory/209352-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/209352-76-0x00000000067D0000-0x00000000075A9000-memory.dmp

Filesize
13.8MB

Download
memory/209352-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/209372-79-0x0000000000000000-mapping.dmp

Download
memory/209640-70-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/209640-66-0x0000000000000000-mapping.dmp

Download
memory/209692-73-0x0000000000000000-mapping.dmp

Download
memory/209692-77-0x0000000001130000-0x0000000001F09000-memory.dmp

Filesize
13.8MB

Download
memory/209692-81-0x0000000001130000-0x0000000001F09000-memory.dmp

Filesize
13.8MB

Download
memory/209904-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads