redline | e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d

Analysis

max time kernel
55s
max time network
59s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-08-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe
Size

4.5MB
MD5

42b6ddf282a3cafbd3b9938b9242ca2f
SHA1

1dc9c7b02cae370032b04aff89f87880e09130dc
SHA256

e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d
SHA512

b87b81d2e7e44031a68740aa391dfca93121adfdb2a9bad055c5f7f0e9bc615e4814f6efea011c9b04a7d15952a42a082c62be2ba02f582af8831cfbab5c552a
SSDEEP

98304:Ed7q/35VJNaUM9LC65bKPGFNW9d50IXDvPyakR3Iauu:Em35PNat9G6lKPu40ePya9auu

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

185.200.191.18:80

Attributes

auth_value
81be690af280fd9c9e7c951600742654

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/184448-180-0x0000000000370000-0x0000000000390000-memory.dmp	family_redline
behavioral1/memory/184448-185-0x000000000038A7CE-mapping.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4124-238-0x0000000000D90000-0x0000000001BA4000-memory.dmp	family_ytstealer
behavioral1/memory/4124-273-0x0000000000D90000-0x0000000001BA4000-memory.dmp	family_ytstealer

Executes dropped EXE 2 IoCs

Processes:

@yuki4onna_crypted.exe1055716893.exe

pid process

2292 @yuki4onna_crypted.exe
4124 1055716893.exe

pid	process
2292	@yuki4onna_crypted.exe
4124	1055716893.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1055716893.exe	upx
C:\Users\Admin\AppData\Roaming\1055716893.exe	upx
behavioral1/memory/4124-179-0x0000000000D90000-0x0000000001BA4000-memory.dmp	upx
behavioral1/memory/4124-238-0x0000000000D90000-0x0000000001BA4000-memory.dmp	upx
behavioral1/memory/4124-273-0x0000000000D90000-0x0000000001BA4000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

@yuki4onna_crypted.exe

description pid process target process

PID 2292 set thread context of 184448 2292 @yuki4onna_crypted.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeAppLaunch.exe

pid process

184780 powershell.exe
184780 powershell.exe
184780 powershell.exe
184448 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 184780 powershell.exe
Token: SeDebugPrivilege 184448 AppLaunch.exe

description	pid	process	target process
PID 2292 set thread context of 184448	2292	@yuki4onna_crypted.exe	AppLaunch.exe

pid	process
184780	powershell.exe
184780	powershell.exe
184780	powershell.exe
184448	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	184780	powershell.exe
Token: SeDebugPrivilege	184448	AppLaunch.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe@yuki4onna_crypted.exe1055716893.exe

description	pid	process	target process
PID 1928 wrote to memory of 2292	1928	e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe	@yuki4onna_crypted.exe
PID 1928 wrote to memory of 2292	1928	e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe	@yuki4onna_crypted.exe
PID 1928 wrote to memory of 2292	1928	e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe	@yuki4onna_crypted.exe
PID 1928 wrote to memory of 4124	1928	e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe	1055716893.exe
PID 1928 wrote to memory of 4124	1928	e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe	1055716893.exe
PID 2292 wrote to memory of 184448	2292	@yuki4onna_crypted.exe	AppLaunch.exe
PID 2292 wrote to memory of 184448	2292	@yuki4onna_crypted.exe	AppLaunch.exe
PID 2292 wrote to memory of 184448	2292	@yuki4onna_crypted.exe	AppLaunch.exe
PID 2292 wrote to memory of 184448	2292	@yuki4onna_crypted.exe	AppLaunch.exe
PID 2292 wrote to memory of 184448	2292	@yuki4onna_crypted.exe	AppLaunch.exe
PID 4124 wrote to memory of 184780	4124	1055716893.exe	powershell.exe
PID 4124 wrote to memory of 184780	4124	1055716893.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe
"C:\Users\Admin\AppData\Local\Temp\e2b835bdb5ab7558876936d5334028654507afd40176244ccd367d56b5c2d45d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Roaming\@yuki4onna_crypted.exe
C:\Users\Admin\AppData\Roaming\@yuki4onna_crypted.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184448

C:\Users\Admin\AppData\Roaming\1055716893.exe
C:\Users\Admin\AppData\Roaming\1055716893.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1055716893.exe
Filesize
4.0MB

MD5
6111addf72040542825c35d671cce5b7

SHA1
c18a06e73418f6b6e7c24fd472218cc345cb8262

SHA256
ad324bc60320dd8a5d9865acfd60b93aa26b2398e41183d7203ae525ea639f26

SHA512
5f10eb726aa22c2cf9c5d3b0e98e908aed81389adf4139265139e1fd7811b788c40108ef99aeed8e3a42a9c0d78ab6e38d8b64e8597f8f8385dc31cae94d4aed

Download Submit
C:\Users\Admin\AppData\Roaming\1055716893.exe
Filesize
4.0MB

MD5
6111addf72040542825c35d671cce5b7

SHA1
c18a06e73418f6b6e7c24fd472218cc345cb8262

SHA256
ad324bc60320dd8a5d9865acfd60b93aa26b2398e41183d7203ae525ea639f26

SHA512
5f10eb726aa22c2cf9c5d3b0e98e908aed81389adf4139265139e1fd7811b788c40108ef99aeed8e3a42a9c0d78ab6e38d8b64e8597f8f8385dc31cae94d4aed

Download Submit
C:\Users\Admin\AppData\Roaming\@yuki4onna_crypted.exe
Filesize
1.1MB

MD5
c89ba4b3553ee2c55aca91875a09c8d3

SHA1
6b432dfe72639ce84431b6453c84e027f0235881

SHA256
71cf8db83d88f6689347e9fc14ba81256ceedd09d8e915340f304cc098d03e25

SHA512
c7cce485b998fce015d1012bd69b89b820366c3b3db085b62553014dc9ca5bf60c976db0b1b8e56ec149f3da6e1401643b9318e61c96d8d823d35538ac79087c

Download Submit
C:\Users\Admin\AppData\Roaming\@yuki4onna_crypted.exe
Filesize
1.1MB

MD5
c89ba4b3553ee2c55aca91875a09c8d3

SHA1
6b432dfe72639ce84431b6453c84e027f0235881

SHA256
71cf8db83d88f6689347e9fc14ba81256ceedd09d8e915340f304cc098d03e25

SHA512
c7cce485b998fce015d1012bd69b89b820366c3b3db085b62553014dc9ca5bf60c976db0b1b8e56ec149f3da6e1401643b9318e61c96d8d823d35538ac79087c

Download Submit
memory/1928-158-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-127-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-153-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-154-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-155-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-156-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-157-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-124-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1928-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-175-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-174-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2292-165-0x0000000000000000-mapping.dmp

Download
memory/4124-273-0x0000000000D90000-0x0000000001BA4000-memory.dmp

Filesize
14.1MB

Download
memory/4124-171-0x0000000000000000-mapping.dmp

Download
memory/4124-179-0x0000000000D90000-0x0000000001BA4000-memory.dmp

Filesize
14.1MB

Download
memory/4124-238-0x0000000000D90000-0x0000000001BA4000-memory.dmp

Filesize
14.1MB

Download
memory/184448-325-0x000000000B040000-0x000000000B56C000-memory.dmp

Filesize
5.2MB

Download
memory/184448-192-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/184448-187-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/184448-188-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/184448-185-0x000000000038A7CE-mapping.dmp

Download
memory/184448-180-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/184448-249-0x00000000088F0000-0x000000000893B000-memory.dmp

Filesize
300KB

Download
memory/184448-242-0x0000000008E40000-0x0000000009446000-memory.dmp

Filesize
6.0MB

Download
memory/184448-243-0x0000000008850000-0x0000000008862000-memory.dmp

Filesize
72KB

Download
memory/184448-244-0x0000000008980000-0x0000000008A8A000-memory.dmp

Filesize
1.0MB

Download
memory/184448-247-0x00000000088B0000-0x00000000088EE000-memory.dmp

Filesize
248KB

Download
memory/184448-186-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/184448-596-0x000000000AB60000-0x000000000ABB0000-memory.dmp

Filesize
320KB

Download
memory/184448-190-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/184448-324-0x000000000A940000-0x000000000AB02000-memory.dmp

Filesize
1.8MB

Download
memory/184448-189-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/184448-299-0x000000000A000000-0x000000000A4FE000-memory.dmp

Filesize
5.0MB

Download
memory/184448-302-0x0000000009BC0000-0x0000000009C36000-memory.dmp

Filesize
472KB

Download
memory/184448-303-0x0000000009CE0000-0x0000000009D72000-memory.dmp

Filesize
584KB

Download
memory/184448-307-0x0000000009CC0000-0x0000000009CDE000-memory.dmp

Filesize
120KB

Download
memory/184448-308-0x000000000A600000-0x000000000A666000-memory.dmp

Filesize
408KB

Download
memory/184780-265-0x000001A0F1670000-0x000001A0F16E6000-memory.dmp

Filesize
472KB

Download
memory/184780-262-0x000001A0D9000000-0x000001A0D9022000-memory.dmp

Filesize
136KB

Download
memory/184780-257-0x0000000000000000-mapping.dmp

Download