redline | b59600e131d839bca09180b6a1624ec0c8ed6a89f7b5f266e00d466a08bbbf50

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
12-08-2022 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe
Size

2.4MB
MD5

eb787c21d13fea35fdef02a4108a3837
SHA1

e49bdd16b109886c7bec44945dd442b815c85540
SHA256

b59600e131d839bca09180b6a1624ec0c8ed6a89f7b5f266e00d466a08bbbf50
SHA512

612e2428af924cd5f666542ddcc2842fbda8691de6659a9a7ea50f7d28ad11bbbd8a36772f0ab3dca6be86f29876ff6a12cb6e635d9a8788a9d4a50d8891ba64

Score

10^/10

redline infostealer spyware

Malware Config

Extracted

Family

redline

185.215.113.83:60722

Attributes

auth_value
dd55e2051534eafb87cf91977b6d459b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/197148-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/197148-61-0x000000000041B4EE-mapping.dmp	family_redline
behavioral1/memory/197148-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/197148-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe

description	pid	process	target process
PID 640 set thread context of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AppLaunch.exe

pid process

197148 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 197148 AppLaunch.exe

pid	process
197148	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	197148	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe

description	pid	process	target process
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe
PID 640 wrote to memory of 197148	640	B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe
"C:\Users\Admin\AppData\Local\Temp\B59600E131D839BCA09180B6A1624EC0C8ED6A89F7B5F266E00D466A08BBBF50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:197148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/197148-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/197148-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/197148-61-0x000000000041B4EE-mapping.dmp

Download
memory/197148-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/197148-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/197148-64-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download