redline | f7408ac079050ef9b68f30d000f8192d5cac81d837d5b3f68518f3cfe9a91b10

General

Target

Setup.exe
Size

214KB
MD5

066e4ddca165ce3d51e127edef3ad79a
SHA1

3f5c07a22ebe53ad58dc954c9788c6110abb1d31
SHA256

83532232c4fd411da4181c80b884c8d8f752397316fcfc1da1d72044a5079e66
SHA512

fca5f1b0a1edc09f0f5c400f74d6aee7151c323af04f0d8c97b025e7df15c7f3e93b307074f86eab7a56136148c2e0334532a304f6a84eeb8b16d25fc7185222
SSDEEP

6144:lG/vV4vU6l1mFsX8806bk5N4LAyfXiU+9:lmw8c88zjfXiU+

Score

10^/10

redline infostealer spyware

Malware Config

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes

auth_value
1c8ff7dee822ac80430e5d694755817e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/1736-57-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1736-62-0x00000000000A27EE-mapping.dmp	family_redline
behavioral1/memory/1736-63-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline
behavioral1/memory/1736-64-0x0000000000080000-0x00000000000A8000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2004	brave.exe
900	ofg.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	vbc.exe
1736	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 1736	1368	Setup.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
580	1368	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1080	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	vbc.exe
1736	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1736	1368	Setup.exe	29
PID 1368 wrote to memory of 1736	1368	Setup.exe	29
PID 1368 wrote to memory of 1736	1368	Setup.exe	29
PID 1368 wrote to memory of 1736	1368	Setup.exe	29
PID 1368 wrote to memory of 1736	1368	Setup.exe	29
PID 1368 wrote to memory of 1736	1368	Setup.exe	29
PID 1368 wrote to memory of 580	1368	Setup.exe	30
PID 1368 wrote to memory of 580	1368	Setup.exe	30
PID 1368 wrote to memory of 580	1368	Setup.exe	30
PID 1368 wrote to memory of 580	1368	Setup.exe	30
PID 1736 wrote to memory of 2004	1736	vbc.exe	32
PID 1736 wrote to memory of 2004	1736	vbc.exe	32
PID 1736 wrote to memory of 2004	1736	vbc.exe	32
PID 1736 wrote to memory of 2004	1736	vbc.exe	32
PID 1736 wrote to memory of 900	1736	vbc.exe	33
PID 1736 wrote to memory of 900	1736	vbc.exe	33
PID 1736 wrote to memory of 900	1736	vbc.exe	33
PID 1736 wrote to memory of 900	1736	vbc.exe	33
PID 900 wrote to memory of 1080	900	ofg.exe	34
PID 900 wrote to memory of 1080	900	ofg.exe	34
PID 900 wrote to memory of 1080	900	ofg.exe	34
PID 900 wrote to memory of 1080	900	ofg.exe	34

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Google\brave.exe
    "C:\Users\Admin\AppData\Local\Google\brave.exe"
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Users\Admin\AppData\Local\Google\ofg.exe
    "C:\Users\Admin\AppData\Local\Google\ofg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Google\ofg.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 36
  2⤵
  - Program crash
  PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\brave.exe

Filesize
2.8MB

MD5
9253ed091d81e076a3037e12af3dc871

SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981

SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4

Download Submit
C:\Users\Admin\AppData\Local\Google\ofg.exe

Filesize
86KB

MD5
33dad992607d0ffd44d2c81fe67f8fb1

SHA1
e5b67dc05505fb1232504231f41cba225c282d3c

SHA256
95903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4

SHA512
444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4

Download Submit
\Users\Admin\AppData\Local\Google\brave.exe

Filesize
2.8MB

MD5
9253ed091d81e076a3037e12af3dc871

SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981

SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4

Download Submit
\Users\Admin\AppData\Local\Google\ofg.exe

Filesize
86KB

MD5
33dad992607d0ffd44d2c81fe67f8fb1

SHA1
e5b67dc05505fb1232504231f41cba225c282d3c

SHA256
95903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4

SHA512
444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4

Download Submit
memory/1368-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1736-64-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1736-63-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1736-57-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1736-55-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads