redline | de422863cd1d6fc32ed020e93643e24f11dfed84d7ac62de2b8e9d0b38563237

Analysis

max time kernel
50s
max time network
60s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
12/08/2022, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

7.8MB
MD5

785ec578688eea5954c58fc5aaae01db
SHA1

631e3dcb1e26ca403dcb27b3b8ca02e43fb7f892
SHA256

de422863cd1d6fc32ed020e93643e24f11dfed84d7ac62de2b8e9d0b38563237
SHA512

085683845f328b1675676297bbaec7634daf8aae4391d82fc66bbad6a36b1f630a6ab7184b3ad7701fb1922d53bab8f70101261124bc3bb85e1b8a8e964f20eb

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

185.200.191.18:80

Attributes

auth_value
34e02e45e2e86edae48817cd60b40271

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1504-63-0x0000000000400000-0x0000000000A9D000-memory.dmp	family_redline
behavioral1/memory/121084-71-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/121084-76-0x000000000041A7DE-mapping.dmp	family_redline
behavioral1/memory/121084-77-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/121084-78-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1456-67-0x0000000000DD0000-0x0000000001BE2000-memory.dmp	family_ytstealer
behavioral1/memory/1456-85-0x0000000000DD0000-0x0000000001BE2000-memory.dmp	family_ytstealer

Executes dropped EXE 2 IoCs

pid	Process
1504	@norka16_crypted.exe
1456	5172511927.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001230c-59.dat	upx
behavioral1/files/0x000a00000001230c-60.dat	upx
behavioral1/files/0x000a00000001230c-62.dat	upx
behavioral1/memory/1456-67-0x0000000000DD0000-0x0000000001BE2000-memory.dmp	upx
behavioral1/memory/1456-85-0x0000000000DD0000-0x0000000001BE2000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
272	setup.exe
272	setup.exe
272	setup.exe
272	setup.exe
121128	WerFault.exe
121128	WerFault.exe
121128	WerFault.exe
121128	WerFault.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 121084	1504	@norka16_crypted.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
121128	1504	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
121084	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	121084	AppLaunch.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1504	272	setup.exe	28
PID 272 wrote to memory of 1504	272	setup.exe	28
PID 272 wrote to memory of 1504	272	setup.exe	28
PID 272 wrote to memory of 1504	272	setup.exe	28
PID 272 wrote to memory of 1456	272	setup.exe	29
PID 272 wrote to memory of 1456	272	setup.exe	29
PID 272 wrote to memory of 1456	272	setup.exe	29
PID 272 wrote to memory of 1456	272	setup.exe	29
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121084	1504	@norka16_crypted.exe	31
PID 1504 wrote to memory of 121128	1504	@norka16_crypted.exe	32
PID 1504 wrote to memory of 121128	1504	@norka16_crypted.exe	32
PID 1504 wrote to memory of 121128	1504	@norka16_crypted.exe	32
PID 1504 wrote to memory of 121128	1504	@norka16_crypted.exe	32

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272
- C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe
  C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:121084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 119688
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:121128
- C:\Users\Admin\AppData\Roaming\5172511927.exe
  C:\Users\Admin\AppData\Roaming\5172511927.exe
  2⤵
  - Executes dropped EXE
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5172511927.exe

Filesize
4.0MB

MD5
78efab6b59d6eb880a806d39a0a5a674

SHA1
eb090ebe308976a84529ce5f10326242004a1323

SHA256
c6ac05d2e8cda9f3b3e9f15c33e49f6396a325e83cff62bff1ca7ca932206329

SHA512
15f8f302a3eea8a02d9005d216197c4b6824a64f564c8cbc77155ce5c503ca61e1cf69668d18e9cb44ab68189a4a35a0343cdefd8743285fc6a3871a99704f36

Download Submit
C:\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
\Users\Admin\AppData\Roaming\5172511927.exe

Filesize
4.0MB

MD5
78efab6b59d6eb880a806d39a0a5a674

SHA1
eb090ebe308976a84529ce5f10326242004a1323

SHA256
c6ac05d2e8cda9f3b3e9f15c33e49f6396a325e83cff62bff1ca7ca932206329

SHA512
15f8f302a3eea8a02d9005d216197c4b6824a64f564c8cbc77155ce5c503ca61e1cf69668d18e9cb44ab68189a4a35a0343cdefd8743285fc6a3871a99704f36

Download Submit
\Users\Admin\AppData\Roaming\5172511927.exe

Filesize
4.0MB

MD5
78efab6b59d6eb880a806d39a0a5a674

SHA1
eb090ebe308976a84529ce5f10326242004a1323

SHA256
c6ac05d2e8cda9f3b3e9f15c33e49f6396a325e83cff62bff1ca7ca932206329

SHA512
15f8f302a3eea8a02d9005d216197c4b6824a64f564c8cbc77155ce5c503ca61e1cf69668d18e9cb44ab68189a4a35a0343cdefd8743285fc6a3871a99704f36

Download Submit
\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
\Users\Admin\AppData\Roaming\@norka16_crypted.exe

Filesize
3.9MB

MD5
c5abc9e1019040b141907c6d3083cf23

SHA1
415d2ba3fbb41b59fce4d7563d6eacd415c9075d

SHA256
8b6034c0e31f6e849bc32c965eb2990875dd1c336845afa97cb482dfc82a6906

SHA512
7c6f0aaabeb6f9512f658923bd86d72189e48e5ec504c79f0495920dca9e4fb21fa93cab65a54acda5afc65935c70bfee765731cb0afff9ee411925a592a7dff

Download Submit
memory/272-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1456-67-0x0000000000DD0000-0x0000000001BE2000-memory.dmp

Filesize
14.1MB

Download
memory/1456-85-0x0000000000DD0000-0x0000000001BE2000-memory.dmp

Filesize
14.1MB

Download
memory/1504-63-0x0000000000400000-0x0000000000A9D000-memory.dmp

Filesize
6.6MB

Download
memory/121084-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/121084-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/121084-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/121084-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download