redline | 0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38

Analysis

max time kernel
310s
max time network
319s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-08-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe
Size

139KB
MD5

cd025972c4df727a0fce903a1209c627
SHA1

cc14e518cafcc81c3c44384c491f1ee7634aef37
SHA256

0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38
SHA512

af2c4ddc79dc98eefa65ccd5aac13918f97fcdb2857b4a344d3ca3e3277579387f13642894a8e561e88c713f3d56965673453e68d7cfb33bbaa9568e2b2dc03d

Score

10^/10

redline ytstealer a1 infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

Botnet

65.21.133.231:47430

Attributes

auth_value
b7563e1c5afab74eb0301a1cb2907974

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4760-157-0x000000000041ADA6-mapping.dmp	family_redline
behavioral2/memory/4760-156-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3672-655-0x0000000000BB0000-0x00000000019C1000-memory.dmp	family_ytstealer
behavioral2/memory/3672-673-0x0000000000BB0000-0x00000000019C1000-memory.dmp	family_ytstealer

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

333.exe

pid process

3672 333.exe

pid	process
3672	333.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\333.exe	upx
C:\Users\Admin\AppData\Local\Temp\333.exe	upx
behavioral2/memory/3672-652-0x0000000000BB0000-0x00000000019C1000-memory.dmp	upx
behavioral2/memory/3672-655-0x0000000000BB0000-0x00000000019C1000-memory.dmp	upx
behavioral2/memory/3672-673-0x0000000000BB0000-0x00000000019C1000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe

description	pid	process	target process
PID 4260 set thread context of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exepowershell.exe

pid process

4760 vbc.exe
4084 powershell.exe
4084 powershell.exe
4084 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4760 vbc.exe
Token: SeDebugPrivilege 4084 powershell.exe

pid	process
4760	vbc.exe
4084	powershell.exe
4084	powershell.exe
4084	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4760	vbc.exe
Token: SeDebugPrivilege	4084	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exevbc.exe333.exe

description	pid	process	target process
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4260 wrote to memory of 4760	4260	0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe	vbc.exe
PID 4760 wrote to memory of 3672	4760	vbc.exe	333.exe
PID 4760 wrote to memory of 3672	4760	vbc.exe	333.exe
PID 3672 wrote to memory of 4084	3672	333.exe	powershell.exe
PID 3672 wrote to memory of 4084	3672	333.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe
"C:\Users\Admin\AppData\Local\Temp\0ae70b2fd3eb1c5f9db020f03f183863be0a753ba97921152092e7cd4eed4d38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\333.exe
"C:\Users\Admin\AppData\Local\Temp\333.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\333.exe

Filesize
4.0MB

MD5
54759c68e5daf4d0195ccc4bd929b6ce

SHA1
4dd9a7932308baec2b2d9d5e87aca88a488ac74e

SHA256
7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

SHA512
1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\333.exe

Filesize
4.0MB

MD5
54759c68e5daf4d0195ccc4bd929b6ce

SHA1
4dd9a7932308baec2b2d9d5e87aca88a488ac74e

SHA256
7819f51ad0cc844210b83cc218fe2c750c87cfc6f0c21921a3ceebc62b76b060

SHA512
1ca17ba07d44b26e25e7594a33510d772079e754fa8c06cde97cc5ede4d5a40e2e5ba0605ea1b075ac3e4e3c167075dacbd86094d5e5861195d1376352572d12

Download Submit
memory/3672-646-0x0000000000000000-mapping.dmp

Download
memory/3672-652-0x0000000000BB0000-0x00000000019C1000-memory.dmp

Filesize
14.1MB

Download
memory/3672-673-0x0000000000BB0000-0x00000000019C1000-memory.dmp

Filesize
14.1MB

Download
memory/3672-655-0x0000000000BB0000-0x00000000019C1000-memory.dmp

Filesize
14.1MB

Download
memory/4084-665-0x00000298E7A80000-0x00000298E7AF6000-memory.dmp

Filesize
472KB

Download
memory/4084-662-0x00000298E78D0000-0x00000298E78F2000-memory.dmp

Filesize
136KB

Download
memory/4084-656-0x0000000000000000-mapping.dmp

Download
memory/4260-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-115-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-148-0x00000000006D0000-0x00000000006FA000-memory.dmp

Filesize
168KB

Download
memory/4260-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4260-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-518-0x000000000AD20000-0x000000000AEE2000-memory.dmp

Filesize
1.8MB

Download
memory/4760-156-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4760-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-182-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-179-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-171-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-180-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-214-0x00000000097A0000-0x0000000009DA6000-memory.dmp

Filesize
6.0MB

Download
memory/4760-216-0x00000000092A0000-0x00000000093AA000-memory.dmp

Filesize
1.0MB

Download
memory/4760-219-0x00000000091D0000-0x000000000920E000-memory.dmp

Filesize
248KB

Download
memory/4760-221-0x0000000009210000-0x000000000925B000-memory.dmp

Filesize
300KB

Download
memory/4760-215-0x0000000006DF0000-0x0000000006E02000-memory.dmp

Filesize
72KB

Download
memory/4760-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-248-0x000000000A1A0000-0x000000000A216000-memory.dmp

Filesize
472KB

Download
memory/4760-249-0x000000000A2C0000-0x000000000A352000-memory.dmp

Filesize
584KB

Download
memory/4760-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-240-0x0000000009EB0000-0x0000000009F16000-memory.dmp

Filesize
408KB

Download
memory/4760-157-0x000000000041ADA6-mapping.dmp

Download
memory/4760-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-253-0x000000000A280000-0x000000000A29E000-memory.dmp

Filesize
120KB

Download
memory/4760-509-0x000000000B800000-0x000000000B850000-memory.dmp

Filesize
320KB

Download
memory/4760-236-0x000000000A3B0000-0x000000000A8AE000-memory.dmp

Filesize
5.0MB

Download
memory/4760-519-0x000000000BD80000-0x000000000C2AC000-memory.dmp

Filesize
5.2MB

Download