redline | 8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d

Analysis

max time kernel
48s
max time network
57s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16-09-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5DDFCF4815E94C48F1031CED6E010868.exe
Size

4.6MB
MD5

5ddfcf4815e94c48f1031ced6e010868
SHA1

a4e2383b7ef2b19279dab80c1393fa0bf49bd160
SHA256

8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d
SHA512

828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888
SSDEEP

98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

45.138.74.121:80

Attributes

auth_value
b9baf351bc89181c836a21fda4084a03

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/92208-66-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/92208-71-0x00000000000B27CE-mapping.dmp	family_redline
behavioral1/memory/92208-72-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/92208-73-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/4020-75-0x0000000000B10000-0x000000000192B000-memory.dmp	family_ytstealer

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1548	@colored_tea_breakfast_crypted.exe
4020	5075132399.exe
92504	Starter.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001413a-60.dat	upx
behavioral1/files/0x000800000001413a-62.dat	upx
behavioral1/files/0x000800000001413a-59.dat	upx
behavioral1/memory/4020-63-0x0000000000B10000-0x000000000192B000-memory.dmp	upx
behavioral1/memory/4020-75-0x0000000000B10000-0x000000000192B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1544	5DDFCF4815E94C48F1031CED6E010868.exe
1544	5DDFCF4815E94C48F1031CED6E010868.exe
1544	5DDFCF4815E94C48F1031CED6E010868.exe
1544	5DDFCF4815E94C48F1031CED6E010868.exe
92208	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 92208	1548	@colored_tea_breakfast_crypted.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
92208	AppLaunch.exe
92208	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	92208	AppLaunch.exe
Token: SeDebugPrivilege	92504	Starter.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1548	1544	5DDFCF4815E94C48F1031CED6E010868.exe	26
PID 1544 wrote to memory of 1548	1544	5DDFCF4815E94C48F1031CED6E010868.exe	26
PID 1544 wrote to memory of 1548	1544	5DDFCF4815E94C48F1031CED6E010868.exe	26
PID 1544 wrote to memory of 1548	1544	5DDFCF4815E94C48F1031CED6E010868.exe	26
PID 1544 wrote to memory of 4020	1544	5DDFCF4815E94C48F1031CED6E010868.exe	28
PID 1544 wrote to memory of 4020	1544	5DDFCF4815E94C48F1031CED6E010868.exe	28
PID 1544 wrote to memory of 4020	1544	5DDFCF4815E94C48F1031CED6E010868.exe	28
PID 1544 wrote to memory of 4020	1544	5DDFCF4815E94C48F1031CED6E010868.exe	28
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 1548 wrote to memory of 92208	1548	@colored_tea_breakfast_crypted.exe	29
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31
PID 92208 wrote to memory of 92504	92208	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe
"C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
  C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:92208
  - - C:\Users\Admin\AppData\Local\Temp\Starter.exe
      "C:\Users\Admin\AppData\Local\Temp\Starter.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:92504
- C:\Users\Admin\AppData\Roaming\5075132399.exe
  C:\Users\Admin\AppData\Roaming\5075132399.exe
  2⤵
  - Executes dropped EXE
  PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
e9716ff7745b73a8ce8dd146737dd6b1

SHA1
7556845b4bb4ffa12bc25d85fabf699881310cf1

SHA256
f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05

SHA512
c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
e9716ff7745b73a8ce8dd146737dd6b1

SHA1
7556845b4bb4ffa12bc25d85fabf699881310cf1

SHA256
f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05

SHA512
c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e

Download Submit
C:\Users\Admin\AppData\Roaming\5075132399.exe

Filesize
4.1MB

MD5
39c82e2f3a3c5d438aeafae69664b525

SHA1
0f000990a2f611801248fe953a665bf28775698d

SHA256
c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

SHA512
30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

Download Submit
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe

Filesize
1.2MB

MD5
4b7a101c5d6583f67fa574f7d9eab212

SHA1
88f34c4b0491dc3490fdce653d43a2f1b45943a5

SHA256
6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

SHA512
449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

Download Submit
\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
e9716ff7745b73a8ce8dd146737dd6b1

SHA1
7556845b4bb4ffa12bc25d85fabf699881310cf1

SHA256
f89e45132fac0092760b11fb7ee37f92d2ec9b83d37ec6f50843366d78862e05

SHA512
c9938bde8d3f4fd0966f79373c0e6214269b93b39b8e943c90ad494379a63919655972e0569deda8d22d441926e2b11b461553c5f93048b03022d9743a0b9f1e

Download Submit
\Users\Admin\AppData\Roaming\5075132399.exe

Filesize
4.1MB

MD5
39c82e2f3a3c5d438aeafae69664b525

SHA1
0f000990a2f611801248fe953a665bf28775698d

SHA256
c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

SHA512
30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

Download Submit
\Users\Admin\AppData\Roaming\5075132399.exe

Filesize
4.1MB

MD5
39c82e2f3a3c5d438aeafae69664b525

SHA1
0f000990a2f611801248fe953a665bf28775698d

SHA256
c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

SHA512
30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

Download Submit
\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe

Filesize
1.2MB

MD5
4b7a101c5d6583f67fa574f7d9eab212

SHA1
88f34c4b0491dc3490fdce653d43a2f1b45943a5

SHA256
6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

SHA512
449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

Download Submit
\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe

Filesize
1.2MB

MD5
4b7a101c5d6583f67fa574f7d9eab212

SHA1
88f34c4b0491dc3490fdce653d43a2f1b45943a5

SHA256
6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

SHA512
449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

Download Submit
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/4020-75-0x0000000000B10000-0x000000000192B000-memory.dmp

Filesize
14.1MB

Download
memory/4020-63-0x0000000000B10000-0x000000000192B000-memory.dmp

Filesize
14.1MB

Download
memory/92208-72-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/92208-73-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/92208-66-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/92208-64-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/92504-81-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download