redline | 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b89982510003a83b72e023cefc4edd8e.exe
Size

1.9MB
MD5

b89982510003a83b72e023cefc4edd8e
SHA1

b97b061a10191eb3ce6382b6ce55b5bc0b3108fc
SHA256

15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd
SHA512

71fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5
SSDEEP

49152:V5Ov3R+uH6r5eKowZO1Oz3tLcmkDLLEYzdGPET:V5Gh+iOz3tLwnRGi

Score

10^/10

redline logsdiller cloud (telegram: @logsdillabot)socicalbot infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

51.210.137.6:47909

Attributes

auth_value
c2955ed3813a798683a185a82e949f88

Extracted

Family

redline

Botnet

socicalbot

149.28.205.74:2470

Attributes

auth_value
9c51f0d7102febd61d441fffb9c4bb47

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

3 1104 WScript.exe
4 1104 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

tel.exefcc.exejjj.exe

pid process

1560 tel.exe
1224 fcc.exe
684 jjj.exe

flow	pid	process
3	1104	WScript.exe
4	1104	WScript.exe

pid	process
1560	tel.exe
1224	fcc.exe
684	jjj.exe

Loads dropped DLL 14 IoCs

Processes:

b89982510003a83b72e023cefc4edd8e.exeWerFault.exe

pid	process
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
2028	b89982510003a83b72e023cefc4edd8e.exe
480	WerFault.exe
480	WerFault.exe
480	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

jjj.exe

description pid process target process

PID 684 set thread context of 1068 684 jjj.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

480 684 WerFault.exe jjj.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

1068 vbc.exe
1068 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1068 vbc.exe

description	pid	process	target process
PID 684 set thread context of 1068	684	jjj.exe	vbc.exe

pid	pid_target	process	target process
480	684	WerFault.exe	jjj.exe

pid	process
1068	vbc.exe
1068	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1068	vbc.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

b89982510003a83b72e023cefc4edd8e.exetel.exefcc.exejjj.exe

description	pid	process	target process
PID 2028 wrote to memory of 1104	2028	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 2028 wrote to memory of 1104	2028	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 2028 wrote to memory of 1104	2028	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 2028 wrote to memory of 1104	2028	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 2028 wrote to memory of 1560	2028	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 2028 wrote to memory of 1560	2028	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 2028 wrote to memory of 1560	2028	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 2028 wrote to memory of 1560	2028	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 2028 wrote to memory of 1224	2028	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 2028 wrote to memory of 1224	2028	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 2028 wrote to memory of 1224	2028	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 2028 wrote to memory of 1224	2028	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 2028 wrote to memory of 684	2028	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 2028 wrote to memory of 684	2028	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 2028 wrote to memory of 684	2028	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 2028 wrote to memory of 684	2028	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 1560 wrote to memory of 992	1560	tel.exe	vbc.exe
PID 1560 wrote to memory of 992	1560	tel.exe	vbc.exe
PID 1560 wrote to memory of 992	1560	tel.exe	vbc.exe
PID 1560 wrote to memory of 992	1560	tel.exe	vbc.exe
PID 1560 wrote to memory of 992	1560	tel.exe	vbc.exe
PID 1224 wrote to memory of 776	1224	fcc.exe	cmd.exe
PID 1224 wrote to memory of 776	1224	fcc.exe	cmd.exe
PID 1224 wrote to memory of 776	1224	fcc.exe	cmd.exe
PID 1224 wrote to memory of 776	1224	fcc.exe	cmd.exe
PID 684 wrote to memory of 1068	684	jjj.exe	vbc.exe
PID 684 wrote to memory of 1068	684	jjj.exe	vbc.exe
PID 684 wrote to memory of 1068	684	jjj.exe	vbc.exe
PID 684 wrote to memory of 1068	684	jjj.exe	vbc.exe
PID 684 wrote to memory of 1068	684	jjj.exe	vbc.exe
PID 684 wrote to memory of 1068	684	jjj.exe	vbc.exe
PID 684 wrote to memory of 480	684	jjj.exe	WerFault.exe
PID 684 wrote to memory of 480	684	jjj.exe	WerFault.exe
PID 684 wrote to memory of 480	684	jjj.exe	WerFault.exe
PID 684 wrote to memory of 480	684	jjj.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe
"C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
2⤵
- Blocklisted process makes network request
PID:1104

C:\Windows\Temp\tel.exe
"C:\Windows\Temp\tel.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:992

C:\Windows\Temp\fcc.exe
"C:\Windows\Temp\fcc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
3⤵
PID:776

C:\Windows\Temp\jjj.exe
"C:\Windows\Temp\jjj.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 48
3⤵
- Loads dropped DLL
- Program crash
PID:480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\1.vbs
Filesize
105B

MD5
07e1e48d3df9b78f2fc2db6cf3f81a55

SHA1
8e998dec6ad9c779e5eeebb5cf40f2f436dfc26f

SHA256
9b6bea54b95a14045f6b527675a9456fd4d8d22dcd22e0d1eedac440fe8b02fb

SHA512
001a1de66dbec029dc2422ff93e0ba6b882ba54f3316b4e4a912052d6d054e77142432f8550281c3edec98b07a6c12c5d0659ed1f1af143c2b9edcd6a2a18b9b

Download Submit
C:\Windows\Temp\fcc.exe
Filesize
2.5MB

MD5
4075e44d856c8340053b221f6077281b

SHA1
fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac

SHA256
2101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b

SHA512
d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286

Download Submit
C:\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
C:\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
\Windows\Temp\fcc.exe
Filesize
2.5MB

MD5
4075e44d856c8340053b221f6077281b

SHA1
fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac

SHA256
2101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b

SHA512
d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286

Download Submit
\Windows\Temp\fcc.exe
Filesize
2.5MB

MD5
4075e44d856c8340053b221f6077281b

SHA1
fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac

SHA256
2101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b

SHA512
d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286

Download Submit
\Windows\Temp\fcc.exe
Filesize
2.5MB

MD5
4075e44d856c8340053b221f6077281b

SHA1
fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac

SHA256
2101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b

SHA512
d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
memory/480-91-0x0000000000000000-mapping.dmp

Download
memory/684-73-0x0000000000000000-mapping.dmp

Download
memory/776-81-0x0000000000000000-mapping.dmp

Download
memory/992-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/992-77-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1068-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1068-89-0x000000000041B59A-mapping.dmp

Download
memory/1068-84-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1068-92-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1104-55-0x0000000000000000-mapping.dmp

Download
memory/1224-67-0x0000000000000000-mapping.dmp

Download
memory/1560-61-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download