redline | 94927ab5236e3207a586d7a5ae3964384907381a3d6bee138ae49093d295a5bd

General

Target

watchdog.exe
Size

2.3MB
MD5

70e9d9ea20e20326b3b7aa72d0421306
SHA1

fa748e956b7e30cd1e02049f80a74e0b64b69f58
SHA256

94927ab5236e3207a586d7a5ae3964384907381a3d6bee138ae49093d295a5bd
SHA512

a15a0b600602943355201d22c6f885ab1b6a718b3c8c2035373445dcf6c6e2c9d62bfe33e3cb8ae24e9a53cbf4657e697ac1265386e2987be67a6742540e32c6
SSDEEP

24576:CLVfYsYskxXqMs+IYzSuAp+1JP0GxVWEAfhGL6aSljl3RuQ55313y:CLv+P/VWEAfhGqjl3Q

Score

10^/10

redline 875784825 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

875784825

C2

79.137.192.6:8362

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/105856-133-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ChomiumPath.exesvcupdater.exe

pid process

3132 ChomiumPath.exe
2468 svcupdater.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

watchdog.exe

description pid process target process

PID 852 set thread context of 105856 852 watchdog.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4196 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

105856 vbc.exe
105856 vbc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exeChomiumPath.exesvcupdater.exe

description pid process

Token: SeDebugPrivilege 105856 vbc.exe
Token: SeDebugPrivilege 3132 ChomiumPath.exe
Token: SeDebugPrivilege 2468 svcupdater.exe

pid	process
3132	ChomiumPath.exe
2468	svcupdater.exe

description	pid	process	target process
PID 852 set thread context of 105856	852	watchdog.exe	vbc.exe

pid	process
4196	schtasks.exe

pid	process
105856	vbc.exe
105856	vbc.exe

description	pid	process
Token: SeDebugPrivilege	105856	vbc.exe
Token: SeDebugPrivilege	3132	ChomiumPath.exe
Token: SeDebugPrivilege	2468	svcupdater.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

watchdog.exevbc.exeChomiumPath.execmd.exe

description	pid	process	target process
PID 852 wrote to memory of 105856	852	watchdog.exe	vbc.exe
PID 852 wrote to memory of 105856	852	watchdog.exe	vbc.exe
PID 852 wrote to memory of 105856	852	watchdog.exe	vbc.exe
PID 852 wrote to memory of 105856	852	watchdog.exe	vbc.exe
PID 852 wrote to memory of 105856	852	watchdog.exe	vbc.exe
PID 105856 wrote to memory of 3132	105856	vbc.exe	ChomiumPath.exe
PID 105856 wrote to memory of 3132	105856	vbc.exe	ChomiumPath.exe
PID 3132 wrote to memory of 3912	3132	ChomiumPath.exe	cmd.exe
PID 3132 wrote to memory of 3912	3132	ChomiumPath.exe	cmd.exe
PID 3912 wrote to memory of 4196	3912	cmd.exe	schtasks.exe
PID 3912 wrote to memory of 4196	3912	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:105856

C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe
"C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C schtasks /create /tn \qnme49ij0f /tr "C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\system32\schtasks.exe
schtasks /create /tn \qnme49ij0f /tr "C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:4196

C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChomiumPath.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
C:\Users\Admin\AppData\Roaming\qnme49ij0f\svcupdater.exe
Filesize
19KB

MD5
df9c395f5640a450d5aba408567e7226

SHA1
b6bf596346dfbb906c282224fec47811101e8df4

SHA256
ad4080baa83c70ec3f8c0671b1d75bc85b17def9641be2e02aaf400811410b26

SHA512
bf10f921fa71e6c8557949be4981b9ce8704f3c273d6802035049ea40d1361c29f297f9f8642e9bd5753d3d91ddf0be4b3951cbd3f11571f1f6e64e59ad6a33d

Download Submit
memory/2468-159-0x00007FFBDB530000-0x00007FFBDBFF1000-memory.dmp

Filesize
10.8MB

Download
memory/2468-158-0x00007FFBDB530000-0x00007FFBDBFF1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-149-0x0000000000000000-mapping.dmp

Download
memory/3132-155-0x00007FFBDB8B0000-0x00007FFBDC371000-memory.dmp

Filesize
10.8MB

Download
memory/3132-152-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/3912-153-0x0000000000000000-mapping.dmp

Download
memory/4196-154-0x0000000000000000-mapping.dmp

Download
memory/105856-142-0x0000000006B30000-0x0000000006CF2000-memory.dmp

Filesize
1.8MB

Download
memory/105856-148-0x00000000070F0000-0x000000000710E000-memory.dmp

Filesize
120KB

Download
memory/105856-147-0x0000000007D10000-0x00000000082B4000-memory.dmp

Filesize
5.6MB

Download
memory/105856-146-0x0000000006FB0000-0x0000000007026000-memory.dmp

Filesize
472KB

Download
memory/105856-145-0x0000000006F10000-0x0000000006FA2000-memory.dmp

Filesize
584KB

Download
memory/105856-144-0x0000000006D00000-0x0000000006D66000-memory.dmp

Filesize
408KB

Download
memory/105856-143-0x0000000007230000-0x000000000775C000-memory.dmp

Filesize
5.2MB

Download
memory/105856-132-0x0000000000000000-mapping.dmp

Download
memory/105856-141-0x0000000005C00000-0x0000000005D0A000-memory.dmp

Filesize
1.0MB

Download
memory/105856-140-0x0000000005960000-0x000000000599C000-memory.dmp

Filesize
240KB

Download
memory/105856-139-0x0000000005900000-0x0000000005912000-memory.dmp

Filesize
72KB

Download
memory/105856-138-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/105856-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads