redline | 996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e

Resubmissions

20-10-2022 15:52

221020-tbbz2scafr 10

20-10-2022 13:54

221020-q7jg8agbck 10

Analysis

max time kernel
110s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZoomInstaller.exe
Size

5.8MB
MD5

5380a51e5286d9bb51d369aca9b38dc2
SHA1

69c696e0beb957f1030df1031ff43c727cdb0595
SHA256

996c4e5418405912b929e7916def0a6c0aaedf77065ec5725f4782b00fb1464e
SHA512

eac5346d2d9a9f16955b9bf9ea33f2e9932811462b0d7054ee0ae81394b017be4c7124c49555294a22b6f2935790e5054117d3fa647d6dc1860138a2a365dc77
SSDEEP

98304:pXz0TZpDOiYnzJagiZLjfWwYpnUO1CtNC2hEBFiFk1sxzqvL9O/vNl/pEo4ghFk/:VeDrYzJRuWw4UI8CHBEC1fY/X//hi+a

Score

10^/10

redline zoom discovery infostealer pyinstaller spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Zoom

95.216.170.17:29995

Attributes

auth_value
a019d6186be3a0fb2d409933c96c8ced

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e27-152.dat	family_redline
behavioral2/files/0x0008000000022e27-153.dat	family_redline
behavioral2/memory/4084-154-0x00000000001D0000-0x00000000001F8000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1992	yesbuild.exe
3380	yesbuild.exe
4608	cript.exe
4380	yebaby.sfx.exe
4084	yebaby.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	yebaby.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ZoomInstaller.exe

Loads dropped DLL 2 IoCs

pid	Process
3380	yesbuild.exe
3380	yesbuild.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000022e21-133.dat	pyinstaller
behavioral2/files/0x0008000000022e21-134.dat	pyinstaller
behavioral2/files/0x0008000000022e21-136.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4084	yebaby.exe
4084	yebaby.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	yebaby.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1992	4124	ZoomInstaller.exe	81
PID 4124 wrote to memory of 1992	4124	ZoomInstaller.exe	81
PID 1992 wrote to memory of 3380	1992	yesbuild.exe	84
PID 1992 wrote to memory of 3380	1992	yesbuild.exe	84
PID 3380 wrote to memory of 3896	3380	yesbuild.exe	86
PID 3380 wrote to memory of 3896	3380	yesbuild.exe	86
PID 3896 wrote to memory of 4608	3896	cmd.exe	88
PID 3896 wrote to memory of 4608	3896	cmd.exe	88
PID 3896 wrote to memory of 4608	3896	cmd.exe	88
PID 4608 wrote to memory of 3632	4608	cript.exe	89
PID 4608 wrote to memory of 3632	4608	cript.exe	89
PID 4608 wrote to memory of 3632	4608	cript.exe	89
PID 3632 wrote to memory of 4380	3632	cmd.exe	91
PID 3632 wrote to memory of 4380	3632	cmd.exe	91
PID 3632 wrote to memory of 4380	3632	cmd.exe	91
PID 4380 wrote to memory of 4084	4380	yebaby.sfx.exe	92
PID 4380 wrote to memory of 4084	4380	yebaby.sfx.exe	92
PID 4380 wrote to memory of 4084	4380	yebaby.sfx.exe	92

C:\Users\Admin\AppData\Local\Temp\ZoomInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ZoomInstaller.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\yesbuild.exe
  "C:\Users\Admin\AppData\Local\Temp\yesbuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\yesbuild.exe
    "C:\Users\Admin\AppData\Local\Temp\yesbuild.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI19922\cript.exe -p48348#$!Qqf0a
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\_MEI19922\cript.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI19922\cript.exe -p48348#$!Qqf0a
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\yebaby.sfx.exe
        
        yebaby.sfx.exe -p48348#$!Qqf0a
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\yebaby.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yebaby.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
49B

MD5
6189986120ff44ae43402ef774e07be1

SHA1
1472d152905e455c146e6ab20159daf7e55c77c2

SHA256
2a5055cc26426829eacfb592a8b69d474ab8be1c805a6ef793bac1e7f7d33a36

SHA512
0096628fae25cbaf6c1081ee617dd190a37c2f9aa2c9071f79bb4a83d470e37c2471e729fbb05e34883c0cffd84523b1c5a7c8c822607b210673bf6890a23c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\base_library.zip

Filesize
812KB

MD5
622c5b3c73ed54fc1361ead839c99d97

SHA1
bbd9406db4578d813f242251055bd8fa839d2d38

SHA256
d0bbd742960c568d82ad9caf513bf1afb7bd519caa9e3721414687e8813c903a

SHA512
37515b40568c5b87eb27d7aec3f051427d1df088d489aa596f81a94383736aa3a80fd195b00238d66d0ad686bc03a20ad4a0210e1448b1b4f856739d00d5fd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\cript.exe

Filesize
546KB

MD5
7763fdde7de6c903998674a1698e0777

SHA1
cda9e2fa41c26d952fb86041aae367efc082500f

SHA256
94a0309dff5a332b454a2bf2ddf2c2e65a5083ec59ee84ad70147b3b9e43e491

SHA512
1b19e9a3b0f20beb6ae15cf1b3fa0d488a2c5ae2387f3595bf5d9ae8356f862491636cada5c6483842989396fa99ed78dbd2528260ab38f90560377ac3298002

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\cript.exe

Filesize
546KB

MD5
7763fdde7de6c903998674a1698e0777

SHA1
cda9e2fa41c26d952fb86041aae367efc082500f

SHA256
94a0309dff5a332b454a2bf2ddf2c2e65a5083ec59ee84ad70147b3b9e43e491

SHA512
1b19e9a3b0f20beb6ae15cf1b3fa0d488a2c5ae2387f3595bf5d9ae8356f862491636cada5c6483842989396fa99ed78dbd2528260ab38f90560377ac3298002

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19922\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yebaby.exe

Filesize
160KB

MD5
4e2c0fc0e464788fe48380f5758e607a

SHA1
b9f7809b49a028e8598f2d3098cd6834e250b731

SHA256
6989c100d05851d4c1ef01005d7e0f56954ab0ec29184bbc5d31adfb1138ddd0

SHA512
4e6a8b0967560ca0ec8d89f7505814c8eb8724ede65d4751b2c2a77f481f84ade8ab77fa28ba6c7419893134d44ef1d74123c859d679cb3b319c635e3261e408

Download Submit
C:\Users\Admin\AppData\Local\Temp\yebaby.exe

Filesize
160KB

MD5
4e2c0fc0e464788fe48380f5758e607a

SHA1
b9f7809b49a028e8598f2d3098cd6834e250b731

SHA256
6989c100d05851d4c1ef01005d7e0f56954ab0ec29184bbc5d31adfb1138ddd0

SHA512
4e6a8b0967560ca0ec8d89f7505814c8eb8724ede65d4751b2c2a77f481f84ade8ab77fa28ba6c7419893134d44ef1d74123c859d679cb3b319c635e3261e408

Download Submit
C:\Users\Admin\AppData\Local\Temp\yebaby.sfx.exe

Filesize
379KB

MD5
729278bdb3d07c3624e7434d4f7bf1ec

SHA1
0d5fd23dbcd3da5e06c80d15b322a0df06ec7cb5

SHA256
ee36a898fbb39c6eb37439b007417831d705ce94fe376a15a87f7a1b2423285c

SHA512
165a3d0ec365cd89aa6c2adb03cfa11ad9a9102530d623d3b42864667a27cdd6f4cc4b23e19f204ba4a1a5f97ad2b5c5fb09ef4654c27e12a492208c9c440885

Download Submit
C:\Users\Admin\AppData\Local\Temp\yebaby.sfx.exe

Filesize
379KB

MD5
729278bdb3d07c3624e7434d4f7bf1ec

SHA1
0d5fd23dbcd3da5e06c80d15b322a0df06ec7cb5

SHA256
ee36a898fbb39c6eb37439b007417831d705ce94fe376a15a87f7a1b2423285c

SHA512
165a3d0ec365cd89aa6c2adb03cfa11ad9a9102530d623d3b42864667a27cdd6f4cc4b23e19f204ba4a1a5f97ad2b5c5fb09ef4654c27e12a492208c9c440885

Download Submit
C:\Users\Admin\AppData\Local\Temp\yesbuild.exe

Filesize
5.6MB

MD5
fd1410bfd40d8500c2450a0423243e38

SHA1
8e5d5df8b072952af568ab9918ee49ce676be299

SHA256
bf6915895b1bc041c3f1b89467b9b293385a3837d4cc59ac8a8d32adb0742ebe

SHA512
f31115cd1117355826911c089987b84580396b3927761f08fa09f141a8c3a8fab8501149ed5d541b33c1f3f5c03d5cfa69f7458de46bb528c3b0e8a6193d12dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yesbuild.exe

Filesize
5.6MB

MD5
fd1410bfd40d8500c2450a0423243e38

SHA1
8e5d5df8b072952af568ab9918ee49ce676be299

SHA256
bf6915895b1bc041c3f1b89467b9b293385a3837d4cc59ac8a8d32adb0742ebe

SHA512
f31115cd1117355826911c089987b84580396b3927761f08fa09f141a8c3a8fab8501149ed5d541b33c1f3f5c03d5cfa69f7458de46bb528c3b0e8a6193d12dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yesbuild.exe

Filesize
5.6MB

MD5
fd1410bfd40d8500c2450a0423243e38

SHA1
8e5d5df8b072952af568ab9918ee49ce676be299

SHA256
bf6915895b1bc041c3f1b89467b9b293385a3837d4cc59ac8a8d32adb0742ebe

SHA512
f31115cd1117355826911c089987b84580396b3927761f08fa09f141a8c3a8fab8501149ed5d541b33c1f3f5c03d5cfa69f7458de46bb528c3b0e8a6193d12dc

Download Submit
memory/1992-132-0x0000000000000000-mapping.dmp

Download
memory/3380-135-0x0000000000000000-mapping.dmp

Download
memory/3632-146-0x0000000000000000-mapping.dmp

Download
memory/3896-142-0x0000000000000000-mapping.dmp

Download
memory/4084-156-0x0000000004C90000-0x0000000004D9A000-memory.dmp

Filesize
1.0MB

Download
memory/4084-158-0x0000000004C20000-0x0000000004C5C000-memory.dmp

Filesize
240KB

Download
memory/4084-165-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/4084-154-0x00000000001D0000-0x00000000001F8000-memory.dmp

Filesize
160KB

Download
memory/4084-155-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/4084-164-0x0000000006740000-0x00000000067B6000-memory.dmp

Filesize
472KB

Download
memory/4084-157-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4084-151-0x0000000000000000-mapping.dmp

Download
memory/4084-159-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/4084-160-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/4084-161-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/4084-162-0x00000000064F0000-0x00000000066B2000-memory.dmp

Filesize
1.8MB

Download
memory/4084-163-0x0000000006BF0000-0x000000000711C000-memory.dmp

Filesize
5.2MB

Download
memory/4380-148-0x0000000000000000-mapping.dmp

Download
memory/4608-143-0x0000000000000000-mapping.dmp

Download