redline | d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31

General

Target

66721704fcb230df0479066c961b704d.exe
Size

1.3MB
MD5

66721704fcb230df0479066c961b704d
SHA1

06846af0ac608f14177c26cb3c15bf2a028a736e
SHA256

d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31
SHA512

9b05d40c8f11dc360473cf072bd9d79642cd27cf9d37b43a878c7228093c4a7fc92da1633492e5495be88c29cb0c2051f93ddf4633478db04570400cd853e4ff
SSDEEP

24576:mpRkyTKA1eBSjvjmviCWYoa19btJGnjPGcoielIYACCSFAsnCE:BU5ex6zxa19btJGnrguYAERC

Score

10^/10

redline @ebaniynoyname infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@EBANIYNOYNAME

C2

82.115.223.162:26393

Attributes

auth_value
3517499b9df589c8c64f775931cb7b6d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/99892-56-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/99892-61-0x00000000000A229A-mapping.dmp	family_redline
behavioral1/memory/99892-62-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/99892-63-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
100268	Ubisoft.exe

Loads dropped DLL 1 IoCs

pid	Process
99892	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 99892	1788	66721704fcb230df0479066c961b704d.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
99940	1788	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
99892	vbc.exe
99892	vbc.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	99892	vbc.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 99892	1788	66721704fcb230df0479066c961b704d.exe	29
PID 1788 wrote to memory of 99892	1788	66721704fcb230df0479066c961b704d.exe	29
PID 1788 wrote to memory of 99892	1788	66721704fcb230df0479066c961b704d.exe	29
PID 1788 wrote to memory of 99892	1788	66721704fcb230df0479066c961b704d.exe	29
PID 1788 wrote to memory of 99892	1788	66721704fcb230df0479066c961b704d.exe	29
PID 1788 wrote to memory of 99892	1788	66721704fcb230df0479066c961b704d.exe	29
PID 1788 wrote to memory of 99940	1788	66721704fcb230df0479066c961b704d.exe	30
PID 1788 wrote to memory of 99940	1788	66721704fcb230df0479066c961b704d.exe	30
PID 1788 wrote to memory of 99940	1788	66721704fcb230df0479066c961b704d.exe	30
PID 1788 wrote to memory of 99940	1788	66721704fcb230df0479066c961b704d.exe	30
PID 99892 wrote to memory of 100268	99892	vbc.exe	32
PID 99892 wrote to memory of 100268	99892	vbc.exe	32
PID 99892 wrote to memory of 100268	99892	vbc.exe	32
PID 99892 wrote to memory of 100268	99892	vbc.exe	32
PID 100268 wrote to memory of 1588	100268	Ubisoft.exe	33
PID 100268 wrote to memory of 1588	100268	Ubisoft.exe	33
PID 100268 wrote to memory of 1588	100268	Ubisoft.exe	33

C:\Users\Admin\AppData\Local\Temp\66721704fcb230df0479066c961b704d.exe
"C:\Users\Admin\AppData\Local\Temp\66721704fcb230df0479066c961b704d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:99892
- - C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
    "C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:100268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 98528
  2⤵
  - Program crash
  PID:99940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
memory/1588-74-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1588-79-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1588-75-0x000007FEEC330000-0x000007FEECD53000-memory.dmp

Filesize
10.1MB

Download
memory/1588-76-0x000007FEEB7D0000-0x000007FEEC32D000-memory.dmp

Filesize
11.4MB

Download
memory/1588-77-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1588-78-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/99892-62-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/99892-56-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/99892-63-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/99892-65-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/99892-54-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/100268-72-0x0000000000D60000-0x0000000000DF2000-memory.dmp

Filesize
584KB

Download
memory/100268-71-0x0000000001210000-0x00000000012FA000-memory.dmp

Filesize
936KB

Download
memory/100268-70-0x0000000001300000-0x000000000148C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing