redline | f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b

Analysis

max time kernel
71s
max time network
180s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-08-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe
Size

4.7MB
MD5

f4ee53801ab804bfdc50d03daaf50595
SHA1

c9748bca6c56c59280052b89a2d2a69ef348fdfa
SHA256

f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b
SHA512

72ee2ccb2e520f2cd9a54217ba85c1228529cb2ae7e103e0f3892a5910b9b29d54d7b427029bfc624b091b391e88eac906eb9305873972ba89ea1d507ca3ef98

Score

10^/10

redline ytstealer s32 infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

s32

185.106.92.56:48079

Attributes

auth_value
9ad5135eac94b69fb550f1f6a2c7e142

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1520-3859-0x000000000041ADBA-mapping.dmp	family_redline
behavioral2/memory/1520-3893-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2268-3983-0x0000000000F20000-0x0000000001D31000-memory.dmp	family_ytstealer
behavioral2/memory/2268-4002-0x0000000000F20000-0x0000000001D31000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

333.exe

pid process

2268 333.exe

pid	process
2268	333.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\333.exe	upx
C:\Users\Admin\AppData\Local\Temp\333.exe	upx
behavioral2/memory/2268-3981-0x0000000000F20000-0x0000000001D31000-memory.dmp	upx
behavioral2/memory/2268-3983-0x0000000000F20000-0x0000000001D31000-memory.dmp	upx
behavioral2/memory/2268-4002-0x0000000000F20000-0x0000000001D31000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe

description	pid	process	target process
PID 2672 set thread context of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exef187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exeaspnet_compiler.exepowershell.exe

pid	process
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe
2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe
2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe
1520	aspnet_compiler.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exepowershell.exeaspnet_compiler.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	1520	aspnet_compiler.exe
Token: SeDebugPrivilege	1004	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exeaspnet_compiler.exe333.exe

description	pid	process	target process
PID 2672 wrote to memory of 4596	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	powershell.exe
PID 2672 wrote to memory of 4596	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	powershell.exe
PID 2672 wrote to memory of 4596	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	powershell.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 2672 wrote to memory of 1520	2672	f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe	aspnet_compiler.exe
PID 1520 wrote to memory of 2268	1520	aspnet_compiler.exe	333.exe
PID 1520 wrote to memory of 2268	1520	aspnet_compiler.exe	333.exe
PID 2268 wrote to memory of 1004	2268	333.exe	powershell.exe
PID 2268 wrote to memory of 1004	2268	333.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe
"C:\Users\Admin\AppData\Local\Temp\f187b170f2d586038f73311d31f879c574b2a6aef8e41e776a5ba3710484338b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\333.exe
"C:\Users\Admin\AppData\Local\Temp\333.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
697f689b67b84f169270c2d745de3e37

SHA1
d0ac5974855d84bf2b03d5703770e74b5d8d9242

SHA256
b69d89b68bd99684b5812483c9f34b517896876820d8c3fc50d493b35b16c8a8

SHA512
bd6a078f172bf3bd25c7774d38b8644dc7011609da344e7342b7735ac148db685e1d31f3803983411134f99741147d09d32c3de77ed43abfc72992efc2839792

Download Submit
C:\Users\Admin\AppData\Local\Temp\333.exe

Filesize
4.0MB

MD5
54759c68e5daf4d0195ccc4bd929b6ce

SHA1
4dd9a7932308baec2b2d9d5e87aca88a488ac74e

SHA256
7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

SHA512
1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\333.exe

Filesize
4.0MB

MD5
54759c68e5daf4d0195ccc4bd929b6ce

SHA1
4dd9a7932308baec2b2d9d5e87aca88a488ac74e

SHA256
7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

SHA512
1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

Download Submit
memory/1004-3984-0x0000000000000000-mapping.dmp

Download
memory/1004-3993-0x0000015BEF7E0000-0x0000015BEF856000-memory.dmp

Filesize
472KB

Download
memory/1004-3989-0x0000015BD7150000-0x0000015BD7172000-memory.dmp

Filesize
136KB

Download
memory/1520-3938-0x0000000006FF0000-0x00000000071B2000-memory.dmp

Filesize
1.8MB

Download
memory/1520-3939-0x00000000076F0000-0x0000000007C1C000-memory.dmp

Filesize
5.2MB

Download
memory/1520-3915-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/1520-3916-0x0000000005510000-0x000000000561A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-3914-0x0000000005970000-0x0000000005F76000-memory.dmp

Filesize
6.0MB

Download
memory/1520-3893-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1520-3919-0x0000000005440000-0x000000000547E000-memory.dmp

Filesize
248KB

Download
memory/1520-3921-0x0000000005480000-0x00000000054CB000-memory.dmp

Filesize
300KB

Download
memory/1520-3859-0x000000000041ADBA-mapping.dmp

Download
memory/1520-3937-0x0000000006DD0000-0x0000000006E20000-memory.dmp

Filesize
320KB

Download
memory/1520-3936-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/2268-4002-0x0000000000F20000-0x0000000001D31000-memory.dmp

Filesize
14.1MB

Download
memory/2268-3975-0x0000000000000000-mapping.dmp

Download
memory/2268-3981-0x0000000000F20000-0x0000000001D31000-memory.dmp

Filesize
14.1MB

Download
memory/2268-3983-0x0000000000F20000-0x0000000001D31000-memory.dmp

Filesize
14.1MB

Download
memory/2672-165-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-176-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-137-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-138-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-139-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-140-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-141-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-142-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-143-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-144-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-145-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-146-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-147-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-148-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-149-0x00000000002A0000-0x0000000000764000-memory.dmp

Filesize
4.8MB

Download
memory/2672-150-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-151-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-152-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-153-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-154-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-155-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-156-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-157-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-158-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-159-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-160-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-161-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-162-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-163-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-164-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-135-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-166-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-167-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-168-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-169-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-170-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-171-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-172-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-173-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-174-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-175-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-136-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-177-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-178-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-179-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-180-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-184-0x0000000005770000-0x0000000005858000-memory.dmp

Filesize
928KB

Download
memory/2672-3747-0x00000000058C0000-0x000000000590A000-memory.dmp

Filesize
296KB

Download
memory/2672-3749-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/2672-3750-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

Filesize
136KB

Download
memory/2672-3752-0x0000000005C80000-0x0000000005FD0000-memory.dmp

Filesize
3.3MB

Download
memory/2672-3856-0x0000000019F70000-0x000000001A002000-memory.dmp

Filesize
584KB

Download
memory/2672-3857-0x000000001A510000-0x000000001AA0E000-memory.dmp

Filesize
5.0MB

Download
memory/2672-116-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-117-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-118-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-119-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-120-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-134-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-133-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-132-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-131-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-130-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-129-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-124-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-128-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-127-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-126-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-125-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-123-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-122-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/2672-121-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4596-3825-0x00000000077E0000-0x0000000007846000-memory.dmp

Filesize
408KB

Download
memory/4596-3824-0x0000000007770000-0x00000000077D6000-memory.dmp

Filesize
408KB

Download
memory/4596-3805-0x0000000007870000-0x0000000007E98000-memory.dmp

Filesize
6.2MB

Download
memory/4596-3800-0x0000000004F10000-0x0000000004F46000-memory.dmp

Filesize
216KB

Download
memory/4596-3764-0x0000000000000000-mapping.dmp

Download
memory/4596-3828-0x0000000007850000-0x000000000786C000-memory.dmp

Filesize
112KB

Download
memory/4596-3829-0x0000000008760000-0x00000000087AB000-memory.dmp

Filesize
300KB

Download
memory/4596-3833-0x0000000008640000-0x00000000086B6000-memory.dmp

Filesize
472KB

Download
memory/4596-3844-0x0000000009DC0000-0x000000000A438000-memory.dmp

Filesize
6.5MB

Download
memory/4596-3845-0x0000000009500000-0x000000000951A000-memory.dmp

Filesize
104KB

Download