redline | 5b1631e62695df1c79327fed96c727cd96b36efa361684e4904b33511270b448

General

Target

Installer.exe
Size

484KB
MD5

03cdd6991df7a2498cb90fa4de87971f
SHA1

1aaad6f995efaf38901c85d5da15f9f2376c9832
SHA256

5b1631e62695df1c79327fed96c727cd96b36efa361684e4904b33511270b448
SHA512

a894ec1c172ff2c7ba64bfdd4ade0b7ab681c102bf11a73d3dfe4fcefd458d69b0982f22530a3617dfd1c71a442aa61e160bfb38c5358030684de88746feaa76
SSDEEP

6144:+ordzu35yDrfG6ZyRO53lRye6Vq990OdHg31nE1pp0I6zgGmr3jidUMAOvVXc:Xdzu3CjGu6Vq99Y9fGZMBpc

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes

auth_value
7f9e6cf941b1bf2200810271959a3881

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/152612-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/152612-61-0x000000000041B53E-mapping.dmp	family_redline
behavioral1/memory/152612-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/152612-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/152968-74-0x0000000000DA0000-0x0000000001BB2000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
152968	start.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014142-66.dat	upx
behavioral1/files/0x0007000000014142-67.dat	upx
behavioral1/files/0x0007000000014142-69.dat	upx
behavioral1/memory/152968-72-0x0000000000DA0000-0x0000000001BB2000-memory.dmp	upx
behavioral1/memory/152968-74-0x0000000000DA0000-0x0000000001BB2000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
152612	AppLaunch.exe
152612	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 152612	1500	Installer.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
152660	1500	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
152612	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	152612	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152612	1500	Installer.exe	28
PID 1500 wrote to memory of 152660	1500	Installer.exe	29
PID 1500 wrote to memory of 152660	1500	Installer.exe	29
PID 1500 wrote to memory of 152660	1500	Installer.exe	29
PID 1500 wrote to memory of 152660	1500	Installer.exe	29
PID 152612 wrote to memory of 152968	152612	AppLaunch.exe	31
PID 152612 wrote to memory of 152968	152612	AppLaunch.exe	31
PID 152612 wrote to memory of 152968	152612	AppLaunch.exe	31
PID 152612 wrote to memory of 152968	152612	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:152612
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    PID:152968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 151256
  2⤵
  - Program crash
  PID:152660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
memory/152612-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/152612-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/152612-64-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/152612-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/152612-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/152612-70-0x0000000007750000-0x0000000008562000-memory.dmp

Filesize
14.1MB

Download
memory/152612-71-0x0000000007750000-0x0000000008562000-memory.dmp

Filesize
14.1MB

Download
memory/152612-73-0x0000000007750000-0x0000000008562000-memory.dmp

Filesize
14.1MB

Download
memory/152968-72-0x0000000000DA0000-0x0000000001BB2000-memory.dmp

Filesize
14.1MB

Download
memory/152968-74-0x0000000000DA0000-0x0000000001BB2000-memory.dmp

Filesize
14.1MB

Download

Analysis

Sharing