redline | 0af383db909c314a9e69f1266dd8f50b11816a26d3ff26b5b32f0bf8574f410b

General

Target

setup.exe
Size

4.9MB
MD5

f282768e11d3b0f9543a4dce4e51d563
SHA1

c71b735210380cd0a53db2b4d781cddc5c418fa5
SHA256

0af383db909c314a9e69f1266dd8f50b11816a26d3ff26b5b32f0bf8574f410b
SHA512

6001628abccb1fc01a5a92fb3e91278b1aefe9b2a05b40d98ed577a4bf9a05ec385d12504874a3be1786b5c7e3a5e42bf89530bb935c83a5d4d2b090d4d57995
SSDEEP

98304:iCnkht4Wom20+2hlWDLh88t+IRnBgObfsyzy7seBmhgdOkEWDQPfrSy38km:ibhtgP2hliLXFsyzy7fmMWrSy33m

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

C2

185.200.191.18:80

Attributes

auth_value
8e735c61c3e52e58f4665d971fce8806

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/120004-66-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/120004-71-0x000000000041A7DE-mapping.dmp	family_redline
behavioral1/memory/120004-72-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/120004-73-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/3032-75-0x0000000001250000-0x0000000002064000-memory.dmp	family_ytstealer

Executes dropped EXE 2 IoCs

pid	Process
860	@sp1keeeeee_crypted.exe
3032	1859736053.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001231b-62.dat	upx
behavioral1/files/0x000b00000001231b-60.dat	upx
behavioral1/files/0x000b00000001231b-59.dat	upx
behavioral1/memory/3032-63-0x0000000001250000-0x0000000002064000-memory.dmp	upx
behavioral1/memory/3032-75-0x0000000001250000-0x0000000002064000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1100	setup.exe
1100	setup.exe
1100	setup.exe
1100	setup.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 860 set thread context of 120004	860	@sp1keeeeee_crypted.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
120004	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	120004	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 860	1100	setup.exe	27
PID 1100 wrote to memory of 860	1100	setup.exe	27
PID 1100 wrote to memory of 860	1100	setup.exe	27
PID 1100 wrote to memory of 860	1100	setup.exe	27
PID 1100 wrote to memory of 3032	1100	setup.exe	29
PID 1100 wrote to memory of 3032	1100	setup.exe	29
PID 1100 wrote to memory of 3032	1100	setup.exe	29
PID 1100 wrote to memory of 3032	1100	setup.exe	29
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30
PID 860 wrote to memory of 120004	860	@sp1keeeeee_crypted.exe	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Roaming\@sp1keeeeee_crypted.exe
  C:\Users\Admin\AppData\Roaming\@sp1keeeeee_crypted.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:120004
- C:\Users\Admin\AppData\Roaming\1859736053.exe
  C:\Users\Admin\AppData\Roaming\1859736053.exe
  2⤵
  - Executes dropped EXE
  PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1859736053.exe

Filesize
4.0MB

MD5
10b2a9cc7dec335b598856c1974da4fa

SHA1
b95755e2693c58359910bec6e8d0d57051f1ef6f

SHA256
dc678f956695d21ae414b3df2541183fa3641457492e8337e9b74b563f2bc124

SHA512
6f4728899e90f36a27cf106184520b642f72ff54c0ff04a8c069ee33b7a00cee77c3ec2e957a6ff306b17bc6e16e987e284d9015e322325ea5042ee9edd33140

Download Submit
C:\Users\Admin\AppData\Roaming\@sp1keeeeee_crypted.exe

Filesize
2.4MB

MD5
8f2ef7ab3520eccf48d2d32bab887447

SHA1
69237aae807f04e2160475aee36c10a66582bad6

SHA256
6bdd0a39b62d6c0e351fcd504c5430fae0b3e4d8457e0b9f78f69a490b590693

SHA512
8a2276eb3f44227fe6737d83206f09cf33a294ee86834cb7fcf074d0337705cbe68236d19e5dfba55b5c32e281bfcf7d046309e86fb72f2a6829262dae45e5b5

Download Submit
\Users\Admin\AppData\Roaming\1859736053.exe

Filesize
4.0MB

MD5
10b2a9cc7dec335b598856c1974da4fa

SHA1
b95755e2693c58359910bec6e8d0d57051f1ef6f

SHA256
dc678f956695d21ae414b3df2541183fa3641457492e8337e9b74b563f2bc124

SHA512
6f4728899e90f36a27cf106184520b642f72ff54c0ff04a8c069ee33b7a00cee77c3ec2e957a6ff306b17bc6e16e987e284d9015e322325ea5042ee9edd33140

Download Submit
\Users\Admin\AppData\Roaming\1859736053.exe

Filesize
4.0MB

MD5
10b2a9cc7dec335b598856c1974da4fa

SHA1
b95755e2693c58359910bec6e8d0d57051f1ef6f

SHA256
dc678f956695d21ae414b3df2541183fa3641457492e8337e9b74b563f2bc124

SHA512
6f4728899e90f36a27cf106184520b642f72ff54c0ff04a8c069ee33b7a00cee77c3ec2e957a6ff306b17bc6e16e987e284d9015e322325ea5042ee9edd33140

Download Submit
\Users\Admin\AppData\Roaming\@sp1keeeeee_crypted.exe

Filesize
2.4MB

MD5
8f2ef7ab3520eccf48d2d32bab887447

SHA1
69237aae807f04e2160475aee36c10a66582bad6

SHA256
6bdd0a39b62d6c0e351fcd504c5430fae0b3e4d8457e0b9f78f69a490b590693

SHA512
8a2276eb3f44227fe6737d83206f09cf33a294ee86834cb7fcf074d0337705cbe68236d19e5dfba55b5c32e281bfcf7d046309e86fb72f2a6829262dae45e5b5

Download Submit
\Users\Admin\AppData\Roaming\@sp1keeeeee_crypted.exe

Filesize
2.4MB

MD5
8f2ef7ab3520eccf48d2d32bab887447

SHA1
69237aae807f04e2160475aee36c10a66582bad6

SHA256
6bdd0a39b62d6c0e351fcd504c5430fae0b3e4d8457e0b9f78f69a490b590693

SHA512
8a2276eb3f44227fe6737d83206f09cf33a294ee86834cb7fcf074d0337705cbe68236d19e5dfba55b5c32e281bfcf7d046309e86fb72f2a6829262dae45e5b5

Download Submit
memory/1100-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/3032-63-0x0000000001250000-0x0000000002064000-memory.dmp

Filesize
14.1MB

Download
memory/3032-75-0x0000000001250000-0x0000000002064000-memory.dmp

Filesize
14.1MB

Download
memory/120004-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/120004-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/120004-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/120004-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing