redline | 8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d

General

Target

5DDFCF4815E94C48F1031CED6E010868.exe
Size

4.6MB
MD5

5ddfcf4815e94c48f1031ced6e010868
SHA1

a4e2383b7ef2b19279dab80c1393fa0bf49bd160
SHA256

8d73bdbb7100a3189c890f3c579c245bd19c75f5ace2aee9bb0fb3a11072f48d
SHA512

828dc460f0961fc0a6e503aca6089b41ad64ed3cd20c7bdf31d390f25b889cb03ca244ab76ac7da4934a74e793055576b11505528e32a0f20ca41186782fe888
SSDEEP

98304:EupPsMZmR207JGQUs0tYapHunTkOr8hGRWtg6hYemraATFotYuoz:Euplmk00psYAkOr6tgECXTGeuI

Score

10^/10

redline ytstealer infostealer spyware stealer upx

Malware Config

Extracted

Family

redline

C2

45.138.74.121:80

Attributes

auth_value
b9baf351bc89181c836a21fda4084a03

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/100148-140-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp	family_ytstealer
behavioral2/memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp	family_ytstealer

Executes dropped EXE 2 IoCs

pid	Process
4928	@colored_tea_breakfast_crypted.exe
388	5075132399.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000723-137.dat	upx
behavioral2/files/0x0003000000000723-136.dat	upx
behavioral2/memory/388-138-0x0000000000980000-0x000000000179B000-memory.dmp	upx
behavioral2/memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp	upx
behavioral2/memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 100148	4928	@colored_tea_breakfast_crypted.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3504	powershell.exe
3504	powershell.exe
100148	AppLaunch.exe
100148	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	100148	AppLaunch.exe
Token: SeDebugPrivilege	3504	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4928	2364	5DDFCF4815E94C48F1031CED6E010868.exe	79
PID 2364 wrote to memory of 4928	2364	5DDFCF4815E94C48F1031CED6E010868.exe	79
PID 2364 wrote to memory of 4928	2364	5DDFCF4815E94C48F1031CED6E010868.exe	79
PID 2364 wrote to memory of 388	2364	5DDFCF4815E94C48F1031CED6E010868.exe	81
PID 2364 wrote to memory of 388	2364	5DDFCF4815E94C48F1031CED6E010868.exe	81
PID 4928 wrote to memory of 100148	4928	@colored_tea_breakfast_crypted.exe	82
PID 4928 wrote to memory of 100148	4928	@colored_tea_breakfast_crypted.exe	82
PID 4928 wrote to memory of 100148	4928	@colored_tea_breakfast_crypted.exe	82
PID 4928 wrote to memory of 100148	4928	@colored_tea_breakfast_crypted.exe	82
PID 4928 wrote to memory of 100148	4928	@colored_tea_breakfast_crypted.exe	82
PID 388 wrote to memory of 3504	388	5075132399.exe	89
PID 388 wrote to memory of 3504	388	5075132399.exe	89

C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe
"C:\Users\Admin\AppData\Local\Temp\5DDFCF4815E94C48F1031CED6E010868.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
  C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:100148
- C:\Users\Admin\AppData\Roaming\5075132399.exe
  C:\Users\Admin\AppData\Roaming\5075132399.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Get-WmiObject Win32_PortConnector"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5075132399.exe

Filesize
4.1MB

MD5
39c82e2f3a3c5d438aeafae69664b525

SHA1
0f000990a2f611801248fe953a665bf28775698d

SHA256
c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

SHA512
30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

Download Submit
C:\Users\Admin\AppData\Roaming\5075132399.exe

Filesize
4.1MB

MD5
39c82e2f3a3c5d438aeafae69664b525

SHA1
0f000990a2f611801248fe953a665bf28775698d

SHA256
c9bb6f7ada6803307a1d0dd37b9d8322e86665076732bd0a378e5c3c62f83e59

SHA512
30f9b62826edbb5145f1bf28ddd9947b5c9e952b9ed5ff1b2f80101e17633abe40af1126b21ddd3bdcd50a4d99d609485bedf0e5978e04c9f547d30894b8767d

Download Submit
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe

Filesize
1.2MB

MD5
4b7a101c5d6583f67fa574f7d9eab212

SHA1
88f34c4b0491dc3490fdce653d43a2f1b45943a5

SHA256
6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

SHA512
449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

Download Submit
C:\Users\Admin\AppData\Roaming\@colored_tea_breakfast_crypted.exe

Filesize
1.2MB

MD5
4b7a101c5d6583f67fa574f7d9eab212

SHA1
88f34c4b0491dc3490fdce653d43a2f1b45943a5

SHA256
6adeca1f0c2bc4c2f6139128638c63693e18c15010337c9c0c0cc51b89da60f5

SHA512
449021ecc5a3fada03cb29bb22090a2718a479470718575469cd0618facc0935bb307782f909ae5d70d9820c03b8a4eb7e19bfed0706367ed92fe49524ee13bb

Download Submit
memory/388-138-0x0000000000980000-0x000000000179B000-memory.dmp

Filesize
14.1MB

Download
memory/388-149-0x0000000000980000-0x000000000179B000-memory.dmp

Filesize
14.1MB

Download
memory/388-156-0x0000000000980000-0x000000000179B000-memory.dmp

Filesize
14.1MB

Download
memory/3504-161-0x00007FFA67200000-0x00007FFA67CC1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-154-0x00007FFA67200000-0x00007FFA67CC1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-151-0x00000236F4B20000-0x00000236F4B42000-memory.dmp

Filesize
136KB

Download
memory/100148-148-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/100148-147-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/100148-146-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/100148-152-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/100148-153-0x00000000068D0000-0x0000000006E74000-memory.dmp

Filesize
5.6MB

Download
memory/100148-155-0x0000000006430000-0x00000000064C2000-memory.dmp

Filesize
584KB

Download
memory/100148-145-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/100148-140-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/100148-157-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/100148-158-0x00000000073B0000-0x00000000078DC000-memory.dmp

Filesize
5.2MB

Download
memory/100148-159-0x0000000006E80000-0x0000000006EF6000-memory.dmp

Filesize
472KB

Download
memory/100148-160-0x0000000006620000-0x0000000006670000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing