redline | fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e

Analysis

max time kernel
300s
max time network
304s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26-11-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
Size

1.1MB
MD5

961a8e95c599c8c0b93a9be1a1595276
SHA1

2bc58c9b4174528ceb1c087b2132c027e59771b9
SHA256

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e
SHA512

060d7863e1777d3252776f7a5de9fe273a1d55f9be21294c605f920bc6861300115a14430e53aca9d59c9c9b82a40212e282988c373a37dda9f549ea1280ce3e
SSDEEP

24576:kT6B4S0PQpkA6NQxbEbjKsHLR/t1YUMCrX01o4P7Mb:w6BNne6g/VMCrXWTQb

Score

10^/10

redline main ramses infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

RAMSES

77.73.134.54:19123

Attributes

auth_value
3ba0ecb99f540fa197be387c2d886b1f

Extracted

Family

redline

Botnet

Main

109.206.243.58:81

Attributes

auth_value
8d4fa15b87cebd556cbb5208a3db0fdc

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3464-181-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/4080-262-0x000000000042217A-mapping.dmp	family_redline
behavioral2/memory/4080-297-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe

description pid process target process

PID 2496 created 2504 2496 fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe taskhostw.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4500 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe

pid process

2496 fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2496 created 2504	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	taskhostw.exe

pid	process
4500	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exesvchost.exe

description	pid	process	target process
PID 2496 set thread context of 3464	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 4500 set thread context of 4080	4500	svchost.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exeInstallUtil.exengentask.exe

pid	process
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
4080	InstallUtil.exe
3464	ngentask.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

InstallUtil.exengentask.exe

description pid process

Token: SeDebugPrivilege 4080 InstallUtil.exe
Token: SeDebugPrivilege 3464 ngentask.exe

description	pid	process
Token: SeDebugPrivilege	4080	InstallUtil.exe
Token: SeDebugPrivilege	3464	ngentask.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exesvchost.exe

description	pid	process	target process
PID 2496 wrote to memory of 3468	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3468	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3468	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3504	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3504	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3504	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3464	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3464	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3464	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3464	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 3464	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	ngentask.exe
PID 2496 wrote to memory of 4500	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	svchost.exe
PID 2496 wrote to memory of 4500	2496	fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe	svchost.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe
PID 4500 wrote to memory of 4080	4500	svchost.exe	InstallUtil.exe

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Users\Admin\AppData\Local\Temp\fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe
"C:\Users\Admin\AppData\Local\Temp\fa9fd2326463dbf70da032a4d6c59ca75d489cfab4d5a6a1cc58a66b4bccfb4e.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
397KB

MD5
4d092d21a9c2387bbeec43de49d78210

SHA1
3e6994ab8a3a6e7ffe9efe9868f92d26a83adab8

SHA256
5d8bc54a22156046c64dd6c3d5967d567f8ed6563a8eb00013d536f7ea9c463b

SHA512
3995ccfc7fc3545660b649499129269255ac57f968b5805c3ab2308af6498d4eb6043d69dc6cf2dd1d1c392873d8cf8705994ac230157734465f4f32cfeea8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
397KB

MD5
4d092d21a9c2387bbeec43de49d78210

SHA1
3e6994ab8a3a6e7ffe9efe9868f92d26a83adab8

SHA256
5d8bc54a22156046c64dd6c3d5967d567f8ed6563a8eb00013d536f7ea9c463b

SHA512
3995ccfc7fc3545660b649499129269255ac57f968b5805c3ab2308af6498d4eb6043d69dc6cf2dd1d1c392873d8cf8705994ac230157734465f4f32cfeea8f4

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
186KB

MD5
6ae5ca10fd20d45c607e1de62bbf5925

SHA1
4f9320b85190830629bfbae2d7f179e86afd20c6

SHA256
34fe4dcab667cf86450ac4e054bf6566f5a2511e556af14598a7788c27083baf

SHA512
f7abcb9fc54441db4766b066b8dbd5f9719a00166eb9f7c9a731da03006f192d67d4b971f8dca655ba2997e47f4af6fb73759e29afe5566743d77ab638588392

Download Submit
memory/2496-156-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-146-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-119-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-120-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-121-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-122-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-123-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-124-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-125-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-127-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-128-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-129-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-130-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-131-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-132-0x0000000002D90000-0x00000000032B9000-memory.dmp

Filesize
5.2MB

Download
memory/2496-133-0x0000000002D90000-0x00000000032B9000-memory.dmp

Filesize
5.2MB

Download
memory/2496-134-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-135-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-136-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-138-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-137-0x00000000032C0000-0x00000000033C2000-memory.dmp

Filesize
1.0MB

Download
memory/2496-139-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-157-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-141-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-142-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-143-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-144-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-145-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-158-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-147-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-148-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-150-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-149-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-152-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-151-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-153-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-154-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-155-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-117-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-140-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-118-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-159-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-160-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-161-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-162-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-163-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-164-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-165-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-166-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-167-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-168-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-169-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-170-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-171-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-172-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-173-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-174-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-175-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-176-0x00000000032C0000-0x00000000033C2000-memory.dmp

Filesize
1.0MB

Download
memory/2496-177-0x000000000F2E0000-0x000000000F439000-memory.dmp

Filesize
1.3MB

Download
memory/2496-178-0x000000000F2E0000-0x000000000F439000-memory.dmp

Filesize
1.3MB

Download
memory/2496-231-0x000000000F2E0000-0x000000000F439000-memory.dmp

Filesize
1.3MB

Download
memory/3464-181-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-184-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-179-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-260-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/3464-376-0x0000000006B60000-0x000000000708C000-memory.dmp

Filesize
5.2MB

Download
memory/3464-185-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-259-0x0000000005240000-0x0000000005846000-memory.dmp

Filesize
6.0MB

Download
memory/3464-375-0x0000000006460000-0x0000000006622000-memory.dmp

Filesize
1.8MB

Download
memory/3464-372-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/3464-371-0x0000000005F60000-0x000000000645E000-memory.dmp

Filesize
5.0MB

Download
memory/3464-182-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-335-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3464-183-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/3464-325-0x0000000004EC0000-0x0000000004F0B000-memory.dmp

Filesize
300KB

Download
memory/4080-322-0x0000000005610000-0x000000000564E000-memory.dmp

Filesize
248KB

Download
memory/4080-262-0x000000000042217A-mapping.dmp

Download
memory/4080-297-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4080-319-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/4500-241-0x000001E3BA820000-0x000001E3BA886000-memory.dmp

Filesize
408KB

Download
memory/4500-239-0x000001E3B8960000-0x000001E3B89C8000-memory.dmp

Filesize
416KB

Download
memory/4500-235-0x0000000000000000-mapping.dmp

Download