redline | e03979f58b33f0b40c8817f7c2a0106c4a6a51c0b9bd1b8de37435a3b65f0ae1

General

Target

private valorant.exe
Size

2.6MB
MD5

4fe4971ca7dba89c1793b359cfbe8fd5
SHA1

2305e68738b5d6ce615d9386e7030c0120609428
SHA256

20178c4c0448a12445242ade89d2dd6973493c22ec545b45d69193fff0795dbd
SHA512

8da1b49237ccf820a11af103432f2c59f7c538735b54ce7f30cd8c4f3ed5f1f823e98691ff889b4a9088b77fdc65d9ea5afbc51d556f5eb53250a64750c442e5
SSDEEP

24576:Iz/1l1gz6B8BWccYvYhFMdeWQMyGdkYlHGTlNn7zVSYZJYvv9vOLyOkDPl3RuQ5C:6P1gu8BWvq8tEYZJYvv9vODkDPl30

Score

10^/10

redline infostealer spyware upx

Malware Config

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes

auth_value
6ecfe2239bb32c15669e8ad6e1fa793c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/100832-56-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/100832-61-0x00000000004227EE-mapping.dmp	family_redline
behavioral1/memory/100832-62-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/100832-63-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

MainModule.exestart.exe

pid process

101168 MainModule.exe
101232 start.exe

pid	process
101168	MainModule.exe
101232	start.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral1/memory/101232-78-0x0000000000150000-0x0000000001416000-memory.dmp	upx
behavioral1/memory/101232-81-0x0000000000150000-0x0000000001416000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

AppLaunch.exe

pid process

100832 AppLaunch.exe
100832 AppLaunch.exe
100832 AppLaunch.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

private valorant.exe

description pid process target process

PID 1464 set thread context of 100832 1464 private valorant.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exeMainModule.exe

pid process

100832 AppLaunch.exe
100832 AppLaunch.exe
101168 MainModule.exe

pid	process
100832	AppLaunch.exe
100832	AppLaunch.exe
100832	AppLaunch.exe

description	pid	process	target process
PID 1464 set thread context of 100832	1464	private valorant.exe	AppLaunch.exe

pid	process
100832	AppLaunch.exe
100832	AppLaunch.exe
101168	MainModule.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AppLaunch.exeMainModule.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	100832	AppLaunch.exe
Token: SeDebugPrivilege	101168	MainModule.exe
Token: 33	1380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1380	AUDIODG.EXE
Token: 33	1380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1380	AUDIODG.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

private valorant.exeAppLaunch.exe

description	pid	process	target process
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 1464 wrote to memory of 100832	1464	private valorant.exe	AppLaunch.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101168	100832	AppLaunch.exe	MainModule.exe
PID 100832 wrote to memory of 101232	100832	AppLaunch.exe	start.exe
PID 100832 wrote to memory of 101232	100832	AppLaunch.exe	start.exe
PID 100832 wrote to memory of 101232	100832	AppLaunch.exe	start.exe
PID 100832 wrote to memory of 101232	100832	AppLaunch.exe	start.exe

C:\Users\Admin\AppData\Local\Temp\private valorant.exe
"C:\Users\Admin\AppData\Local\Temp\private valorant.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100832

C:\Users\Admin\AppData\Local\Temp\MainModule.exe
"C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:101168

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
PID:101232

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:101356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MainModule.exe
Filesize
72KB

MD5
077d5c3447d5e03cd4ad1bb68033ec03

SHA1
290b6cce8788511265be31c2fbe4739fe9fc2132

SHA256
78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c

SHA512
4efad46544565ac336594a8c14add1657ad202afe225e50afb566e8922d0d356ff60e1b0e2061ffd6ec238c1657ded38428294e0886ec7feb9231e84228cf1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe
Filesize
72KB

MD5
077d5c3447d5e03cd4ad1bb68033ec03

SHA1
290b6cce8788511265be31c2fbe4739fe9fc2132

SHA256
78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c

SHA512
4efad46544565ac336594a8c14add1657ad202afe225e50afb566e8922d0d356ff60e1b0e2061ffd6ec238c1657ded38428294e0886ec7feb9231e84228cf1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
Filesize
5.1MB

MD5
3e2922711ccfb0d4c63bc2e1ac3962cb

SHA1
c0080d77f23d9ba6aea56bf808e7047564ddff51

SHA256
6e4581639b79846f73463632b751fbfb6568b3f3d12d14e1cf9a9f4f818d7a56

SHA512
47de0b4c5a20aeb8a777f1dc8f7c3fa9264d472d229727c97a12d77ac06f99000f830c73f261d3ad529e91ef9b4dcf944263292f4e69084cd0cd66826091d8f4

Download Submit
\Users\Admin\AppData\Local\Temp\MainModule.exe
Filesize
72KB

MD5
077d5c3447d5e03cd4ad1bb68033ec03

SHA1
290b6cce8788511265be31c2fbe4739fe9fc2132

SHA256
78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c

SHA512
4efad46544565ac336594a8c14add1657ad202afe225e50afb566e8922d0d356ff60e1b0e2061ffd6ec238c1657ded38428294e0886ec7feb9231e84228cf1a6

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe
Filesize
5.1MB

MD5
3e2922711ccfb0d4c63bc2e1ac3962cb

SHA1
c0080d77f23d9ba6aea56bf808e7047564ddff51

SHA256
6e4581639b79846f73463632b751fbfb6568b3f3d12d14e1cf9a9f4f818d7a56

SHA512
47de0b4c5a20aeb8a777f1dc8f7c3fa9264d472d229727c97a12d77ac06f99000f830c73f261d3ad529e91ef9b4dcf944263292f4e69084cd0cd66826091d8f4

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe
Filesize
5.1MB

MD5
3e2922711ccfb0d4c63bc2e1ac3962cb

SHA1
c0080d77f23d9ba6aea56bf808e7047564ddff51

SHA256
6e4581639b79846f73463632b751fbfb6568b3f3d12d14e1cf9a9f4f818d7a56

SHA512
47de0b4c5a20aeb8a777f1dc8f7c3fa9264d472d229727c97a12d77ac06f99000f830c73f261d3ad529e91ef9b4dcf944263292f4e69084cd0cd66826091d8f4

Download Submit
memory/100832-64-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/100832-76-0x00000000076B0000-0x0000000008976000-memory.dmp

Filesize
18.8MB

Download
memory/100832-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/100832-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/100832-80-0x00000000076B0000-0x0000000008976000-memory.dmp

Filesize
18.8MB

Download
memory/100832-77-0x00000000076B0000-0x0000000008976000-memory.dmp

Filesize
18.8MB

Download
memory/100832-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/100832-61-0x00000000004227EE-mapping.dmp

Download
memory/100832-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/101168-66-0x0000000000000000-mapping.dmp

Download
memory/101168-71-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/101168-70-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/101232-74-0x0000000000000000-mapping.dmp

Download
memory/101232-78-0x0000000000150000-0x0000000001416000-memory.dmp

Filesize
18.8MB

Download
memory/101232-81-0x0000000000150000-0x0000000001416000-memory.dmp

Filesize
18.8MB

Download
memory/101356-79-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads