redline | 462524577af8eb243217386c635682108a17f617d22299492310c1a05605c629

General

Target

photoshop.exe
Size

4.7MB
MD5

53db74cccfa08badc51bbcf2aa9fcbf0
SHA1

72eac60ae7d95e17bd4dbf2bc9da1daa802111a7
SHA256

7be64a3fd654b4217c6cf82e6de8fa45e30555b58e7422d77ab49da2f6a10a57
SHA512

0d7e22f6a766b8c1d5d72c250c59afb2127032f2312efaaad114ffe8bc12edcbb5439735b43250a2319cd5473f42b9b2eba813d1d2c04f10ccdc78a60d02f8d6

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

C2

185.200.191.18:80

Attributes

auth_value
957400b0c8387b1ada235531e7d098ac

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/181912-140-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4828-138-0x00000000004E0000-0x00000000012F2000-memory.dmp	family_ytstealer
behavioral2/memory/4828-149-0x00000000004E0000-0x00000000012F2000-memory.dmp	family_ytstealer
behavioral2/memory/4828-161-0x00000000004E0000-0x00000000012F2000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

@kardibe_crypted.exe5392915961.exeStarter.exe

pid process

4848 @kardibe_crypted.exe
4828 5392915961.exe
2576 Starter.exe

pid	process
4848	@kardibe_crypted.exe
4828	5392915961.exe
2576	Starter.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\5392915961.exe	upx
C:\Users\Admin\AppData\Roaming\5392915961.exe	upx
behavioral2/memory/4828-138-0x00000000004E0000-0x00000000012F2000-memory.dmp	upx
behavioral2/memory/4828-149-0x00000000004E0000-0x00000000012F2000-memory.dmp	upx
behavioral2/memory/4828-161-0x00000000004E0000-0x00000000012F2000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

@kardibe_crypted.exe

description pid process target process

PID 4848 set thread context of 181912 4848 @kardibe_crypted.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exepowershell.exe

pid process

181912 AppLaunch.exe
182088 powershell.exe
182088 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exepowershell.exeStarter.exe

description pid process

Token: SeDebugPrivilege 181912 AppLaunch.exe
Token: SeDebugPrivilege 182088 powershell.exe
Token: SeDebugPrivilege 2576 Starter.exe

description	pid	process	target process
PID 4848 set thread context of 181912	4848	@kardibe_crypted.exe	AppLaunch.exe

pid	process
181912	AppLaunch.exe
182088	powershell.exe
182088	powershell.exe

description	pid	process
Token: SeDebugPrivilege	181912	AppLaunch.exe
Token: SeDebugPrivilege	182088	powershell.exe
Token: SeDebugPrivilege	2576	Starter.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

photoshop.exe@kardibe_crypted.exe5392915961.exeAppLaunch.exe

description	pid	process	target process
PID 4628 wrote to memory of 4848	4628	photoshop.exe	@kardibe_crypted.exe
PID 4628 wrote to memory of 4848	4628	photoshop.exe	@kardibe_crypted.exe
PID 4628 wrote to memory of 4848	4628	photoshop.exe	@kardibe_crypted.exe
PID 4628 wrote to memory of 4828	4628	photoshop.exe	5392915961.exe
PID 4628 wrote to memory of 4828	4628	photoshop.exe	5392915961.exe
PID 4848 wrote to memory of 181912	4848	@kardibe_crypted.exe	AppLaunch.exe
PID 4848 wrote to memory of 181912	4848	@kardibe_crypted.exe	AppLaunch.exe
PID 4848 wrote to memory of 181912	4848	@kardibe_crypted.exe	AppLaunch.exe
PID 4848 wrote to memory of 181912	4848	@kardibe_crypted.exe	AppLaunch.exe
PID 4848 wrote to memory of 181912	4848	@kardibe_crypted.exe	AppLaunch.exe
PID 4828 wrote to memory of 182088	4828	5392915961.exe	powershell.exe
PID 4828 wrote to memory of 182088	4828	5392915961.exe	powershell.exe
PID 181912 wrote to memory of 2576	181912	AppLaunch.exe	Starter.exe
PID 181912 wrote to memory of 2576	181912	AppLaunch.exe	Starter.exe
PID 181912 wrote to memory of 2576	181912	AppLaunch.exe	Starter.exe

C:\Users\Admin\AppData\Local\Temp\photoshop.exe
"C:\Users\Admin\AppData\Local\Temp\photoshop.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Roaming\@kardibe_crypted.exe
C:\Users\Admin\AppData\Roaming\@kardibe_crypted.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:181912

C:\Users\Admin\AppData\Local\Temp\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Starter.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Roaming\5392915961.exe
C:\Users\Admin\AppData\Roaming\5392915961.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:182088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
1e318a6152ba2941f2d8e4d4964507bc

SHA1
acccf2089930a983590a112b7942cb3a43c16bff

SHA256
9c69491490426b733b32c024c92f71cca58a4e19e5360a280ba28437a941b8a1

SHA512
d7c1874b5713ab1401e512a081a3b69c5dda2a7dfe04f725a100ea8089bf6040a91d5ecd6089d9c9cea937d6dee4147828caaa42636d371d7f2122ebce5200a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
1e318a6152ba2941f2d8e4d4964507bc

SHA1
acccf2089930a983590a112b7942cb3a43c16bff

SHA256
9c69491490426b733b32c024c92f71cca58a4e19e5360a280ba28437a941b8a1

SHA512
d7c1874b5713ab1401e512a081a3b69c5dda2a7dfe04f725a100ea8089bf6040a91d5ecd6089d9c9cea937d6dee4147828caaa42636d371d7f2122ebce5200a1

Download Submit
C:\Users\Admin\AppData\Roaming\5392915961.exe

Filesize
4.0MB

MD5
098155045d3e602f57fee49aae5f21cc

SHA1
95755d905746a7ea9adab4023da70f5882f8a9be

SHA256
e56a0030c158edcf8ed747320d49e72b0c11b79285b850c4f9848d48febf002c

SHA512
8cfc7704a859d52a4f9f43cff8e5f5e6b6b0c7ca8140a854180a975ff7e1478c25d32833fc45a5d57bf56137d52b8368bf34dd19659f1c50e09c7709949c0991

Download Submit
C:\Users\Admin\AppData\Roaming\5392915961.exe

Filesize
4.0MB

MD5
098155045d3e602f57fee49aae5f21cc

SHA1
95755d905746a7ea9adab4023da70f5882f8a9be

SHA256
e56a0030c158edcf8ed747320d49e72b0c11b79285b850c4f9848d48febf002c

SHA512
8cfc7704a859d52a4f9f43cff8e5f5e6b6b0c7ca8140a854180a975ff7e1478c25d32833fc45a5d57bf56137d52b8368bf34dd19659f1c50e09c7709949c0991

Download Submit
C:\Users\Admin\AppData\Roaming\@kardibe_crypted.exe

Filesize
2.4MB

MD5
fdd4cddf87a834e2db017ecc8eb907e2

SHA1
7c20b1504c9a728706726def51f3ecb688b4f1af

SHA256
f4f087de01ef8ba256418cd097100f4f2f1ca4e1a5b010dc7482457d242e478e

SHA512
0b8eadb7be72500d9e68f6ed72aca9432b1c9305fede39b0a8e66273c50007902a69f828d647dad4a0738fc0841221e67e6c79b0bfbf71a5dfd3f562001d3880

Download Submit
C:\Users\Admin\AppData\Roaming\@kardibe_crypted.exe

Filesize
2.4MB

MD5
fdd4cddf87a834e2db017ecc8eb907e2

SHA1
7c20b1504c9a728706726def51f3ecb688b4f1af

SHA256
f4f087de01ef8ba256418cd097100f4f2f1ca4e1a5b010dc7482457d242e478e

SHA512
0b8eadb7be72500d9e68f6ed72aca9432b1c9305fede39b0a8e66273c50007902a69f828d647dad4a0738fc0841221e67e6c79b0bfbf71a5dfd3f562001d3880

Download Submit
memory/2576-167-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/2576-166-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2576-163-0x0000000000000000-mapping.dmp

Download
memory/4828-138-0x00000000004E0000-0x00000000012F2000-memory.dmp

Filesize
14.1MB

Download
memory/4828-134-0x0000000000000000-mapping.dmp

Download
memory/4828-161-0x00000000004E0000-0x00000000012F2000-memory.dmp

Filesize
14.1MB

Download
memory/4828-149-0x00000000004E0000-0x00000000012F2000-memory.dmp

Filesize
14.1MB

Download
memory/4848-132-0x0000000000000000-mapping.dmp

Download
memory/181912-152-0x0000000007090000-0x0000000007634000-memory.dmp

Filesize
5.6MB

Download
memory/181912-147-0x00000000056F0000-0x00000000057FA000-memory.dmp

Filesize
1.0MB

Download
memory/181912-150-0x0000000006920000-0x0000000006996000-memory.dmp

Filesize
472KB

Download
memory/181912-153-0x0000000006A20000-0x0000000006A3E000-memory.dmp

Filesize
120KB

Download
memory/181912-154-0x0000000006E10000-0x0000000006E76000-memory.dmp

Filesize
408KB

Download
memory/181912-139-0x0000000000000000-mapping.dmp

Download
memory/181912-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/181912-145-0x0000000005B40000-0x0000000006158000-memory.dmp

Filesize
6.1MB

Download
memory/181912-146-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/181912-159-0x00000000084C0000-0x0000000008682000-memory.dmp

Filesize
1.8MB

Download
memory/181912-160-0x0000000008BC0000-0x00000000090EC000-memory.dmp

Filesize
5.2MB

Download
memory/181912-148-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/181912-162-0x0000000007900000-0x0000000007950000-memory.dmp

Filesize
320KB

Download
memory/181912-151-0x0000000006A40000-0x0000000006AD2000-memory.dmp

Filesize
584KB

Download
memory/182088-158-0x00007FFBBC570000-0x00007FFBBD031000-memory.dmp

Filesize
10.8MB

Download
memory/182088-157-0x00007FFBBC570000-0x00007FFBBD031000-memory.dmp

Filesize
10.8MB

Download
memory/182088-156-0x000002379D690000-0x000002379D6B2000-memory.dmp

Filesize
136KB

Download
memory/182088-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads