redline | f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f

General

Target

f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe
Size

294KB
MD5

8c99899c499b98ad45eb5af4d7687ddf
SHA1

2ae45a88bd42e9de2df0af83f35bc60a9af5345b
SHA256

f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f
SHA512

e24a0d25387ca9363a053450a5092e35e28afa7cd09a6a7500de2f17176e0928a452235665aff0357be9f976ce46baa959a204fd4160a64894014ef590688325
SSDEEP

6144:x35jAT+iVfmmYC9SraKuMp4KLTFtuRauiT:x3aSiVft9TMp4KnFtuRaui

Score

10^/10

redline infostealer spyware

Malware Config

Extracted

Family

redline

C2

79.137.192.7:39946

Attributes

auth_value
52ceecb848f38969703143a1492660ce

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/43868-133-0x0000000000A10000-0x0000000000A38000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ofg.exechrome.exesvcupdater.exe

pid process

4504 ofg.exe
2772 chrome.exe
2088 svcupdater.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe

description pid process target process

PID 736 set thread context of 43868 736 f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

43980 736 WerFault.exe f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

43868 vbc.exe
43868 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 43868 vbc.exe

pid	process
4504	ofg.exe
2772	chrome.exe
2088	svcupdater.exe

description	pid	process	target process
PID 736 set thread context of 43868	736	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe	vbc.exe

pid	pid_target	process	target process
43980	736	WerFault.exe	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe

pid	process
4216	schtasks.exe

pid	process
43868	vbc.exe
43868	vbc.exe

description	pid	process
Token: SeDebugPrivilege	43868	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exevbc.exeofg.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 43868	736	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe	vbc.exe
PID 736 wrote to memory of 43868	736	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe	vbc.exe
PID 736 wrote to memory of 43868	736	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe	vbc.exe
PID 736 wrote to memory of 43868	736	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe	vbc.exe
PID 736 wrote to memory of 43868	736	f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe	vbc.exe
PID 43868 wrote to memory of 4504	43868	vbc.exe	ofg.exe
PID 43868 wrote to memory of 4504	43868	vbc.exe	ofg.exe
PID 4504 wrote to memory of 4588	4504	ofg.exe	cmd.exe
PID 4504 wrote to memory of 4588	4504	ofg.exe	cmd.exe
PID 4588 wrote to memory of 4216	4588	cmd.exe	schtasks.exe
PID 4588 wrote to memory of 4216	4588	cmd.exe	schtasks.exe
PID 43868 wrote to memory of 2772	43868	vbc.exe	chrome.exe
PID 43868 wrote to memory of 2772	43868	vbc.exe	chrome.exe
PID 43868 wrote to memory of 2772	43868	vbc.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe
"C:\Users\Admin\AppData\Local\Temp\f5336efef1b72316122a027eea5657a9742654c7924b3bc8852a18c50f62e20f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:43868

C:\Users\Admin\AppData\Local\Google\ofg.exe
"C:\Users\Admin\AppData\Local\Google\ofg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\system32\cmd.exe
cmd.exe /C schtasks /create /tn OzqLuwrCYU /tr C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\system32\schtasks.exe
schtasks /create /tn OzqLuwrCYU /tr C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
5⤵
- Creates scheduled task(s)
PID:4216

C:\Users\Admin\AppData\Local\Google\chrome.exe
"C:\Users\Admin\AppData\Local\Google\chrome.exe"
3⤵
- Executes dropped EXE
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 41168
2⤵
- Program crash
PID:43980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 736 -ip 736
1⤵
PID:43948

C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe
C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe
1⤵
- Executes dropped EXE
PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\chrome.exe

Filesize
6.1MB

MD5
8cd1ea50f8f4c45055400e70da52b326

SHA1
40af98091e8c32ce9c90502b3d851ebc231cacf9

SHA256
66552cbe03b205cba08a2524fb93303dec5edf51188758b08d12624db1ee73e1

SHA512
b0be3acccf8ce64343b10e33b7cd5e7292164259d65c07e0c63c08dc05bfa0cf268290b3a37f20f6afa81d7163be8c90ac9ae9a7fb93c3e61cbc08310a2beaf1

Download Submit
C:\Users\Admin\AppData\Local\Google\chrome.exe

Filesize
6.1MB

MD5
8cd1ea50f8f4c45055400e70da52b326

SHA1
40af98091e8c32ce9c90502b3d851ebc231cacf9

SHA256
66552cbe03b205cba08a2524fb93303dec5edf51188758b08d12624db1ee73e1

SHA512
b0be3acccf8ce64343b10e33b7cd5e7292164259d65c07e0c63c08dc05bfa0cf268290b3a37f20f6afa81d7163be8c90ac9ae9a7fb93c3e61cbc08310a2beaf1

Download Submit
C:\Users\Admin\AppData\Local\Google\ofg.exe

Filesize
4.7MB

MD5
f36a905dbe6231409d40c52ab550820a

SHA1
d9522bb2b8b65cba4799d842c68bf40d4219ffec

SHA256
ca42f07551a6f462e0afbb0deac444612a87ae67d1b427dea55f1287a42e111b

SHA512
bbb0496df5907ec7eb18ded66f44956c17654ef09c90f5be7e9cb829757b7324f5e2a4b90e3368414dbfb5efce765c00c7d3bc710298228b92add92974b1abc4

Download Submit
C:\Users\Admin\AppData\Local\Google\ofg.exe

Filesize
4.7MB

MD5
f36a905dbe6231409d40c52ab550820a

SHA1
d9522bb2b8b65cba4799d842c68bf40d4219ffec

SHA256
ca42f07551a6f462e0afbb0deac444612a87ae67d1b427dea55f1287a42e111b

SHA512
bbb0496df5907ec7eb18ded66f44956c17654ef09c90f5be7e9cb829757b7324f5e2a4b90e3368414dbfb5efce765c00c7d3bc710298228b92add92974b1abc4

Download Submit
C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe

Filesize
4.7MB

MD5
f36a905dbe6231409d40c52ab550820a

SHA1
d9522bb2b8b65cba4799d842c68bf40d4219ffec

SHA256
ca42f07551a6f462e0afbb0deac444612a87ae67d1b427dea55f1287a42e111b

SHA512
bbb0496df5907ec7eb18ded66f44956c17654ef09c90f5be7e9cb829757b7324f5e2a4b90e3368414dbfb5efce765c00c7d3bc710298228b92add92974b1abc4

Download Submit
C:\Users\Admin\AppData\Roaming\OzqLuwrCYU\svcupdater.exe

Filesize
4.7MB

MD5
f36a905dbe6231409d40c52ab550820a

SHA1
d9522bb2b8b65cba4799d842c68bf40d4219ffec

SHA256
ca42f07551a6f462e0afbb0deac444612a87ae67d1b427dea55f1287a42e111b

SHA512
bbb0496df5907ec7eb18ded66f44956c17654ef09c90f5be7e9cb829757b7324f5e2a4b90e3368414dbfb5efce765c00c7d3bc710298228b92add92974b1abc4

Download Submit
memory/2772-154-0x0000000000000000-mapping.dmp

Download
memory/4216-153-0x0000000000000000-mapping.dmp

Download
memory/4504-149-0x0000000000000000-mapping.dmp

Download
memory/4588-152-0x0000000000000000-mapping.dmp

Download
memory/43868-141-0x00000000050B0000-0x00000000050EC000-memory.dmp

Filesize
240KB

Download
memory/43868-147-0x0000000006B10000-0x0000000006B86000-memory.dmp

Filesize
472KB

Download
memory/43868-148-0x0000000006B90000-0x0000000006BE0000-memory.dmp

Filesize
320KB

Download
memory/43868-146-0x0000000007CD0000-0x00000000081FC000-memory.dmp

Filesize
5.2MB

Download
memory/43868-145-0x00000000075D0000-0x0000000007792000-memory.dmp

Filesize
1.8MB

Download
memory/43868-144-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/43868-143-0x00000000062A0000-0x0000000006844000-memory.dmp

Filesize
5.6MB

Download
memory/43868-142-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/43868-132-0x0000000000000000-mapping.dmp

Download
memory/43868-140-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/43868-139-0x00000000051C0000-0x00000000052CA000-memory.dmp

Filesize
1.0MB

Download
memory/43868-138-0x00000000056D0000-0x0000000005CE8000-memory.dmp

Filesize
6.1MB

Download
memory/43868-133-0x0000000000A10000-0x0000000000A38000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads