redline | 80062a2c4d26ad08db5754e7c380325279d7e8e89695516e20dbf688a9d81d23

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/12/2022, 21:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe
Size

119KB
MD5

382c6fcf72d2e1328ea56f8e7ac17221
SHA1

140dbad1dac64f9245011afb001caf3e2a255aea
SHA256

64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c
SHA512

dc56be235677959d6395f90896e88a4eff9222acbbce550ac6a171dff1fbc1b614327a965e3abc40c3f2840d9dec49283d6b71d42b8501b0976565890217f34b
SSDEEP

1536:fS24cISk+2GlV12JrNKAC5rSW7sM/yExKGvS/VMcYzthOij0u2p9/0jAcFqgDKXE:fhMXc71CNRGmwzdguO9/QPBK+yQesOO

Score

10^/10

redline 1474623994_99 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

1474623994_99

maroccowin.top:3306

maroccowin.top:28786

Attributes

auth_value
dc9cea2484b65da8bd62583527966114

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	2040	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	AppLaunch.exe
1708	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	AppLaunch.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1708	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	29
PID 2040 wrote to memory of 1944	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	30
PID 2040 wrote to memory of 1944	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	30
PID 2040 wrote to memory of 1944	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	30
PID 2040 wrote to memory of 1944	2040	64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe	30

C:\Users\Admin\AppData\Local\Temp\64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe
"C:\Users\Admin\AppData\Local\Temp\64ae1f37936eeec41ce48b140ff2d4800c99448dd0fa890269eac362be0e478c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 96
  2⤵
  - Program crash
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-54-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1708-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1708-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1708-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1708-64-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download