redline | 391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017

Analysis

max time kernel
40s
max time network
96s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.7MB
MD5

7d2177241b4fa57a9e3e6de208875025
SHA1

b8c1d3171e82de04821ff213bd298c368c4c0b0f
SHA256

391d8db75e7ff6684b8b81bcfcf3622d832b0ef7aa0b29d01f8a84f5c880a017
SHA512

b3071a54f6c94085be43e5093c0acb62c12dbe8d6ccfeb474e46741e255c6aec3c2e8f8bf9b2380791fee33feda75d4540bdbfc17da9bb040ea47e797b276f5a
SSDEEP

49152:Vz/r2pelcD7gxpL4zMdZYkuFUFeDsHpWkIxXBR0:Vz/r2olcWL4zcD4TR

Score

10^/10

redline @moriwws infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@moriwWs

litrazalilibe.xyz:81

Attributes

auth_value
c2f987b4e6cd55ad1315311e92563eca

Extracted

Family

redline

185.186.142.127:17355

Attributes

auth_value
2d7be1ed915f7e5f91af0977d4175cb7

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/170656-84-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/170656-89-0x000000000041ADC2-mapping.dmp	family_redline
behavioral1/memory/170656-90-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/170656-91-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

ba.exesg.exerog.exexerax.exegor.exegg.exe

pid process

956 ba.exe
948 sg.exe
1704 rog.exe
13624 xerax.exe
58468 gor.exe
97600 gg.exe
Loads dropped DLL 9 IoCs

Processes:

tmp.exesg.exe

pid process

1504 tmp.exe
1504 tmp.exe
948 sg.exe
948 sg.exe
948 sg.exe
948 sg.exe
948 sg.exe
948 sg.exe
948 sg.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
956	ba.exe
948	sg.exe
1704	rog.exe
13624	xerax.exe
58468	gor.exe
97600	gg.exe

pid	process
1504	tmp.exe
1504	tmp.exe
948	sg.exe
948	sg.exe
948	sg.exe
948	sg.exe
948	sg.exe
948	sg.exe
948	sg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

rog.exexerax.exe

description	pid	process	target process
PID 1704 set thread context of 170656	1704	rog.exe	AppLaunch.exe
PID 13624 set thread context of 183384	13624	xerax.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

72984 956 WerFault.exe ba.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

pid process

183384 AppLaunch.exe
183384 AppLaunch.exe
170656 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 183384 AppLaunch.exe
Token: SeDebugPrivilege 170656 AppLaunch.exe

pid	pid_target	process	target process
72984	956	WerFault.exe	ba.exe

pid	process
183384	AppLaunch.exe
183384	AppLaunch.exe
170656	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	183384	AppLaunch.exe
Token: SeDebugPrivilege	170656	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

tmp.exesg.exeba.exerog.exexerax.exe

description	pid	process	target process
PID 1504 wrote to memory of 956	1504	tmp.exe	ba.exe
PID 1504 wrote to memory of 956	1504	tmp.exe	ba.exe
PID 1504 wrote to memory of 956	1504	tmp.exe	ba.exe
PID 1504 wrote to memory of 956	1504	tmp.exe	ba.exe
PID 1504 wrote to memory of 948	1504	tmp.exe	sg.exe
PID 1504 wrote to memory of 948	1504	tmp.exe	sg.exe
PID 1504 wrote to memory of 948	1504	tmp.exe	sg.exe
PID 1504 wrote to memory of 948	1504	tmp.exe	sg.exe
PID 948 wrote to memory of 1704	948	sg.exe	rog.exe
PID 948 wrote to memory of 1704	948	sg.exe	rog.exe
PID 948 wrote to memory of 1704	948	sg.exe	rog.exe
PID 948 wrote to memory of 1704	948	sg.exe	rog.exe
PID 948 wrote to memory of 13624	948	sg.exe	xerax.exe
PID 948 wrote to memory of 13624	948	sg.exe	xerax.exe
PID 948 wrote to memory of 13624	948	sg.exe	xerax.exe
PID 948 wrote to memory of 13624	948	sg.exe	xerax.exe
PID 948 wrote to memory of 58468	948	sg.exe	gor.exe
PID 948 wrote to memory of 58468	948	sg.exe	gor.exe
PID 948 wrote to memory of 58468	948	sg.exe	gor.exe
PID 948 wrote to memory of 58468	948	sg.exe	gor.exe
PID 956 wrote to memory of 72984	956	ba.exe	WerFault.exe
PID 956 wrote to memory of 72984	956	ba.exe	WerFault.exe
PID 956 wrote to memory of 72984	956	ba.exe	WerFault.exe
PID 948 wrote to memory of 97600	948	sg.exe	gg.exe
PID 948 wrote to memory of 97600	948	sg.exe	gg.exe
PID 948 wrote to memory of 97600	948	sg.exe	gg.exe
PID 948 wrote to memory of 97600	948	sg.exe	gg.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 1704 wrote to memory of 170656	1704	rog.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe
PID 13624 wrote to memory of 183384	13624	xerax.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\ba.exe
"C:\Users\Admin\AppData\Local\Temp\ba.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 956 -s 524
3⤵
- Program crash
PID:72984

C:\Users\Admin\AppData\Local\Temp\sg.exe
"C:\Users\Admin\AppData\Local\Temp\sg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\rog.exe
"C:\Users\Admin\AppData\Local\Temp\rog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:170656

C:\Users\Admin\AppData\Local\Temp\xerax.exe
"C:\Users\Admin\AppData\Local\Temp\xerax.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:13624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:183384

C:\Users\Admin\AppData\Local\Temp\gor.exe
"C:\Users\Admin\AppData\Local\Temp\gor.exe"
3⤵
- Executes dropped EXE
PID:58468

C:\Users\Admin\AppData\Local\Temp\gg.exe
"C:\Users\Admin\AppData\Local\Temp\gg.exe"
3⤵
- Executes dropped EXE
PID:97600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba.exe
Filesize
18KB

MD5
61f45eab008bcde3e3a3c063772aab2f

SHA1
667d79cb382b6a92961092b909bb28b749c5bf24

SHA256
5c762e43a8894a74249b7db0eded67453ac96c216a10cda8e7beca238293bac4

SHA512
ea214fe31980a4cd7c69e5daab1116f8ade305782fe16362955781c27b5dc0892a4c92b48f01708bf643dc3675afd14d31cb9f7df3f8e5db7a8daac7de044a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba.exe
Filesize
18KB

MD5
61f45eab008bcde3e3a3c063772aab2f

SHA1
667d79cb382b6a92961092b909bb28b749c5bf24

SHA256
5c762e43a8894a74249b7db0eded67453ac96c216a10cda8e7beca238293bac4

SHA512
ea214fe31980a4cd7c69e5daab1116f8ade305782fe16362955781c27b5dc0892a4c92b48f01708bf643dc3675afd14d31cb9f7df3f8e5db7a8daac7de044a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
693KB

MD5
e740fd2f754a367412bc27005e6aaccb

SHA1
c60104438c97d9966fa698162c82d2d2b2550c0b

SHA256
d895d3572910814cbdde2f48c16ec3fb15a07b2238bb7ec2685f004b527f2cbb

SHA512
d48992867d7032c918fe63bab2141c748c3308becbecf0b07a77370d0f33b1fbca542647f7898ccdd179fd23e2f6a90bc50b2b6d5f2a31060650c7883e55f5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
693KB

MD5
e740fd2f754a367412bc27005e6aaccb

SHA1
c60104438c97d9966fa698162c82d2d2b2550c0b

SHA256
d895d3572910814cbdde2f48c16ec3fb15a07b2238bb7ec2685f004b527f2cbb

SHA512
d48992867d7032c918fe63bab2141c748c3308becbecf0b07a77370d0f33b1fbca542647f7898ccdd179fd23e2f6a90bc50b2b6d5f2a31060650c7883e55f5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gor.exe
Filesize
212KB

MD5
d25ae430b30fa2e0c38b50d054b1ea5e

SHA1
f67497d2014fbbf4bd2d40aa14a0e274c0309527

SHA256
c21084cfecb765173b2cd8f902fa17194e89e278f6ebc0bfba2abacd600d90a4

SHA512
520bcc2c0fa217b61a267c34891ae4cdf72dca8de27fa4afcba9dacd9c00fc6707759d571f644e2538f5bcf00d4a32e26e875ccdd6c784e3dff09c66aab38bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rog.exe
Filesize
2.6MB

MD5
0c4fd32a439820037d08d68687807598

SHA1
644113b692d3f16a6f329a24b4be6ca1a636c568

SHA256
eca0b857de4682a5c859409d8ad7f9f2f6823ab770b9de8504db557b5f3d4240

SHA512
057948b3ace67ea088a021c93e7a25ccd3a3de2ee277ad17767fe1cea6ab88c2797ad78607d04d2373f0e9445d7d164a09af34dd1694fa30be659efb8e397179

Download Submit
C:\Users\Admin\AppData\Local\Temp\sg.exe
Filesize
1.7MB

MD5
5f48f3eceef12e98821d2a26b0e039ce

SHA1
a98164df15415cfb0a22b7d8382f04914e5fef56

SHA256
15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a

SHA512
cdc698888018581607cf14fc2d6e3b7bfcee8c4dd7bef7b6b895845190e11e5866f1d62709432f600cd6c9905d7c858d505f050616068e37b42524d6acd3ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\xerax.exe
Filesize
2.6MB

MD5
ad0cb75c2e63718ded2aff1e87797460

SHA1
3147252b276123f18a8b7a9454d2bb616d26c443

SHA256
38f6b932f8366f609b1415694cac002437aff95af435342e6a9c8db5224f5a5a

SHA512
ff59793d31f078e3a88a6d7b72a2523050fdbb02ab2cd9f2637dd5c4ccc90e8ccba32208140064a30a0c773e85cc4ca6f7d7aa19e7e770ed27f87e8486964c68

Download Submit
\Users\Admin\AppData\Local\Temp\ba.exe
Filesize
18KB

MD5
61f45eab008bcde3e3a3c063772aab2f

SHA1
667d79cb382b6a92961092b909bb28b749c5bf24

SHA256
5c762e43a8894a74249b7db0eded67453ac96c216a10cda8e7beca238293bac4

SHA512
ea214fe31980a4cd7c69e5daab1116f8ade305782fe16362955781c27b5dc0892a4c92b48f01708bf643dc3675afd14d31cb9f7df3f8e5db7a8daac7de044a8c

Download Submit
\Users\Admin\AppData\Local\Temp\gg.exe
Filesize
693KB

MD5
e740fd2f754a367412bc27005e6aaccb

SHA1
c60104438c97d9966fa698162c82d2d2b2550c0b

SHA256
d895d3572910814cbdde2f48c16ec3fb15a07b2238bb7ec2685f004b527f2cbb

SHA512
d48992867d7032c918fe63bab2141c748c3308becbecf0b07a77370d0f33b1fbca542647f7898ccdd179fd23e2f6a90bc50b2b6d5f2a31060650c7883e55f5d3

Download Submit
\Users\Admin\AppData\Local\Temp\gor.exe
Filesize
212KB

MD5
d25ae430b30fa2e0c38b50d054b1ea5e

SHA1
f67497d2014fbbf4bd2d40aa14a0e274c0309527

SHA256
c21084cfecb765173b2cd8f902fa17194e89e278f6ebc0bfba2abacd600d90a4

SHA512
520bcc2c0fa217b61a267c34891ae4cdf72dca8de27fa4afcba9dacd9c00fc6707759d571f644e2538f5bcf00d4a32e26e875ccdd6c784e3dff09c66aab38bc9

Download Submit
\Users\Admin\AppData\Local\Temp\gor.exe
Filesize
212KB

MD5
d25ae430b30fa2e0c38b50d054b1ea5e

SHA1
f67497d2014fbbf4bd2d40aa14a0e274c0309527

SHA256
c21084cfecb765173b2cd8f902fa17194e89e278f6ebc0bfba2abacd600d90a4

SHA512
520bcc2c0fa217b61a267c34891ae4cdf72dca8de27fa4afcba9dacd9c00fc6707759d571f644e2538f5bcf00d4a32e26e875ccdd6c784e3dff09c66aab38bc9

Download Submit
\Users\Admin\AppData\Local\Temp\rog.exe
Filesize
2.6MB

MD5
0c4fd32a439820037d08d68687807598

SHA1
644113b692d3f16a6f329a24b4be6ca1a636c568

SHA256
eca0b857de4682a5c859409d8ad7f9f2f6823ab770b9de8504db557b5f3d4240

SHA512
057948b3ace67ea088a021c93e7a25ccd3a3de2ee277ad17767fe1cea6ab88c2797ad78607d04d2373f0e9445d7d164a09af34dd1694fa30be659efb8e397179

Download Submit
\Users\Admin\AppData\Local\Temp\rog.exe
Filesize
2.6MB

MD5
0c4fd32a439820037d08d68687807598

SHA1
644113b692d3f16a6f329a24b4be6ca1a636c568

SHA256
eca0b857de4682a5c859409d8ad7f9f2f6823ab770b9de8504db557b5f3d4240

SHA512
057948b3ace67ea088a021c93e7a25ccd3a3de2ee277ad17767fe1cea6ab88c2797ad78607d04d2373f0e9445d7d164a09af34dd1694fa30be659efb8e397179

Download Submit
\Users\Admin\AppData\Local\Temp\sg.exe
Filesize
1.7MB

MD5
5f48f3eceef12e98821d2a26b0e039ce

SHA1
a98164df15415cfb0a22b7d8382f04914e5fef56

SHA256
15c61bff122689fbca8f61c8cc3c77d54a7320a7427e9b098fec82233459884a

SHA512
cdc698888018581607cf14fc2d6e3b7bfcee8c4dd7bef7b6b895845190e11e5866f1d62709432f600cd6c9905d7c858d505f050616068e37b42524d6acd3ffde

Download Submit
\Users\Admin\AppData\Local\Temp\xerax.exe
Filesize
2.6MB

MD5
ad0cb75c2e63718ded2aff1e87797460

SHA1
3147252b276123f18a8b7a9454d2bb616d26c443

SHA256
38f6b932f8366f609b1415694cac002437aff95af435342e6a9c8db5224f5a5a

SHA512
ff59793d31f078e3a88a6d7b72a2523050fdbb02ab2cd9f2637dd5c4ccc90e8ccba32208140064a30a0c773e85cc4ca6f7d7aa19e7e770ed27f87e8486964c68

Download Submit
\Users\Admin\AppData\Local\Temp\xerax.exe
Filesize
2.6MB

MD5
ad0cb75c2e63718ded2aff1e87797460

SHA1
3147252b276123f18a8b7a9454d2bb616d26c443

SHA256
38f6b932f8366f609b1415694cac002437aff95af435342e6a9c8db5224f5a5a

SHA512
ff59793d31f078e3a88a6d7b72a2523050fdbb02ab2cd9f2637dd5c4ccc90e8ccba32208140064a30a0c773e85cc4ca6f7d7aa19e7e770ed27f87e8486964c68

Download Submit
memory/948-60-0x0000000000000000-mapping.dmp

Download
memory/956-63-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1704-66-0x0000000000000000-mapping.dmp

Download
memory/13624-70-0x0000000000000000-mapping.dmp

Download
memory/58468-74-0x0000000000000000-mapping.dmp

Download
memory/72984-76-0x0000000000000000-mapping.dmp

Download
memory/97600-78-0x0000000000000000-mapping.dmp

Download
memory/97600-81-0x0000000000DD0000-0x0000000000E84000-memory.dmp

Filesize
720KB

Download
memory/97600-109-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/97600-105-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/97600-108-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/97600-107-0x0000000004AE5000-0x0000000004AF6000-memory.dmp

Filesize
68KB

Download
memory/97600-106-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/170656-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/170656-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/170656-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/170656-89-0x000000000041ADC2-mapping.dmp

Download
memory/170656-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/183384-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/183384-100-0x000000000041734E-mapping.dmp

Download
memory/183384-102-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/183384-101-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/183384-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download