redline | ee2f4e019c67ac698cd6070a2a10c4b634bccc69147c2fa8c38984835f7ffa5c

Resubmissions

17/10/2022, 15:19

221017-sqn3gscbh3 10

16/10/2022, 11:07

221016-m7zbwshdd5 10

Analysis

max time kernel
129s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16/10/2022, 11:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49ce053c9dea98eb0de0d87fd09c39c6.exe
Size

2.6MB
MD5

49ce053c9dea98eb0de0d87fd09c39c6
SHA1

963cd86e9c32f38c6846ee9bfb3ff741b91b1d17
SHA256

ee2f4e019c67ac698cd6070a2a10c4b634bccc69147c2fa8c38984835f7ffa5c
SHA512

6e80cd25cf0f8e64c8aad7f2e090c4119a938cdf4cc70ff72ad898bc6dad482e79b06500ed6364b2eebd8089f8a4cdfb773f24bd482e51fe0b4b00546e0209f3
SSDEEP

49152:P3xHty7PwuQ8qZWtzx5ap59pTfNUIDoaIl3M:P3xHty7PlqgzSD9UIDo8

Score

10^/10

redline @ebaniynoyname infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

@EBANIYNOYNAME

82.115.223.48:26393

Attributes

auth_value
3517499b9df589c8c64f775931cb7b6d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/98412-56-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/98412-63-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/98412-62-0x0000000000090000-0x00000000000B8000-memory.dmp	family_redline
behavioral1/memory/98412-61-0x00000000000B22A2-mapping.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
98728	Ubisoft.exe
99008	Ubisoft.exe
99096	Decoder.exe

Loads dropped DLL 2 IoCs

pid	Process
98412	AppLaunch.exe
98728	Ubisoft.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Thyzblmtm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mbirag\\Thyzblmtm.exe\""	Ubisoft.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Ubisoft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Ubisoft.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 98728 set thread context of 99008	98728	Ubisoft.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
99096	Decoder.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
98412	AppLaunch.exe
98412	AppLaunch.exe
98816	powershell.exe
98728	Ubisoft.exe
98728	Ubisoft.exe
98728	Ubisoft.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	98412	AppLaunch.exe
Token: SeDebugPrivilege	98816	powershell.exe
Token: SeDebugPrivilege	98728	Ubisoft.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 1376 wrote to memory of 98412	1376	49ce053c9dea98eb0de0d87fd09c39c6.exe	27
PID 98412 wrote to memory of 98728	98412	AppLaunch.exe	29
PID 98412 wrote to memory of 98728	98412	AppLaunch.exe	29
PID 98412 wrote to memory of 98728	98412	AppLaunch.exe	29
PID 98412 wrote to memory of 98728	98412	AppLaunch.exe	29
PID 98728 wrote to memory of 98816	98728	Ubisoft.exe	30
PID 98728 wrote to memory of 98816	98728	Ubisoft.exe	30
PID 98728 wrote to memory of 98816	98728	Ubisoft.exe	30
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 98728 wrote to memory of 99008	98728	Ubisoft.exe	33
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34
PID 99008 wrote to memory of 99096	99008	Ubisoft.exe	34

C:\Users\Admin\AppData\Local\Temp\49ce053c9dea98eb0de0d87fd09c39c6.exe
"C:\Users\Admin\AppData\Local\Temp\49ce053c9dea98eb0de0d87fd09c39c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:98412
- - C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
    "C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:98728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98816
  - - C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
      C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:99008
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:99096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
52.7MB

MD5
b22b72eea4c18e596249bfb56ad1760c

SHA1
1631574c8244930de44dcf83bdf993bc5f196efb

SHA256
1a0f4427c021fabf59fd472bbff9fcd2a693c80b4b0c44547574f7ddacb38da9

SHA512
77f8887fcb6ec0a4e19d72154af55115afbc449066cb713001dd883005269327a2f96a93f0626246e84e8fde74631342e25407c2657f22a4d3fc0daf17815df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
52.9MB

MD5
6cf2354854571c16c424a5f8bc69a2a9

SHA1
ecf25ec30b5742c2ae96a95dbc579ddd13cda1e7

SHA256
be31c7e63c1adf5ea62d95003c1db1a0f5faf1d50a8387450d844e9d8c9d59f4

SHA512
6fcbf5550d8a02062fa24a448669776fcb340e6f1d117df16d23cddfda61382f8fa4ad7a14279efb35c68f9864376f87e3fed3140713bf7dbf267b2d7dec777d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
memory/98412-62-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98412-54-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98412-63-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98412-64-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/98412-56-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/98728-71-0x0000000000D40000-0x0000000000DD2000-memory.dmp

Filesize
584KB

Download
memory/98728-70-0x000000001BA80000-0x000000001BB6A000-memory.dmp

Filesize
936KB

Download
memory/98728-69-0x0000000000DE0000-0x0000000000F6C000-memory.dmp

Filesize
1.5MB

Download
memory/98816-79-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/98816-74-0x000007FEEC190000-0x000007FEECBB3000-memory.dmp

Filesize
10.1MB

Download
memory/98816-78-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/98816-77-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/98816-80-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/98816-75-0x000007FEEB630000-0x000007FEEC18D000-memory.dmp

Filesize
11.4MB

Download
memory/98816-73-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/98816-76-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/99008-85-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-92-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-91-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-98-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-87-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-97-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-83-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-104-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99008-82-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/99096-103-0x0000000000070000-0x0000000000222000-memory.dmp

Filesize
1.7MB

Download