redline | 5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c

Analysis

max time kernel
107s
max time network
134s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-01-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

12.5MB
MD5

d7ac9f5311f60a1e99d3547d66f19a4d
SHA1

17a4692a0afbad5be0e94d13d0a7ba5526d1b522
SHA256

5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c
SHA512

c9af04f1324534ff842211f7b4cfa6abb49a8d987fd070a50918c7469b2d4d9d40992c972e51970c6245af12b43f107cdf0dd3f44e87b197d675a5f9ec86da7b
SSDEEP

393216:3xsX4B8eD3F+oI9KtC9N5cfZLxsaZf4nT7P4tU:3GI9FQ3OfZLSPP4q

Score

10^/10

redline infostealer spyware upx

Malware Config

Extracted

Family

redline

195.20.17.174:80

Attributes

auth_value
cf75908d75b4508135a38c8679c86f6e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/memory/1884-77-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
792	animecool.exe
268	poxuipluspoxui.exe
1884	nig1r21312312.exe
1076	ConsoleApplication1.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000141fc-70.dat	upx
behavioral1/files/0x00070000000141fc-69.dat	upx
behavioral1/files/0x00070000000141fc-73.dat	upx
behavioral1/files/0x00070000000141fc-71.dat	upx
behavioral1/memory/1884-77-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Loads dropped DLL 11 IoCs

pid	Process
364	setup.exe
364	setup.exe
364	setup.exe
364	setup.exe
364	setup.exe
364	setup.exe
364	setup.exe
364	setup.exe
580	cmd.exe
580	cmd.exe
1844	cmd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 1496	792	animecool.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
968	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1496	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	AppLaunch.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 792	364	setup.exe	28
PID 364 wrote to memory of 792	364	setup.exe	28
PID 364 wrote to memory of 792	364	setup.exe	28
PID 364 wrote to memory of 792	364	setup.exe	28
PID 364 wrote to memory of 268	364	setup.exe	30
PID 364 wrote to memory of 268	364	setup.exe	30
PID 364 wrote to memory of 268	364	setup.exe	30
PID 364 wrote to memory of 268	364	setup.exe	30
PID 364 wrote to memory of 580	364	setup.exe	31
PID 364 wrote to memory of 580	364	setup.exe	31
PID 364 wrote to memory of 580	364	setup.exe	31
PID 364 wrote to memory of 580	364	setup.exe	31
PID 580 wrote to memory of 1884	580	cmd.exe	35
PID 580 wrote to memory of 1884	580	cmd.exe	35
PID 580 wrote to memory of 1884	580	cmd.exe	35
PID 580 wrote to memory of 1884	580	cmd.exe	35
PID 1884 wrote to memory of 1844	1884	nig1r21312312.exe	38
PID 1884 wrote to memory of 1844	1884	nig1r21312312.exe	38
PID 1884 wrote to memory of 1844	1884	nig1r21312312.exe	38
PID 1884 wrote to memory of 1844	1884	nig1r21312312.exe	38
PID 1844 wrote to memory of 968	1844	cmd.exe	37
PID 1844 wrote to memory of 968	1844	cmd.exe	37
PID 1844 wrote to memory of 968	1844	cmd.exe	37
PID 1844 wrote to memory of 968	1844	cmd.exe	37
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 792 wrote to memory of 1496	792	animecool.exe	32
PID 1844 wrote to memory of 1076	1844	cmd.exe	40
PID 1844 wrote to memory of 1076	1844	cmd.exe	40
PID 1844 wrote to memory of 1076	1844	cmd.exe	40
PID 1844 wrote to memory of 1076	1844	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\animecool.exe
  "C:\Users\Admin\AppData\Local\Temp\animecool.exe" /animecool.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  "C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe" /poxuipluspoxui.exe
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat" /govno312321412412.bat"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
    nig1r21312312.exe exec hide fds333333333333333.bat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c fds333333333333333.bat
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe
        
        ConsoleApplication1.exe
        5⤵
        Executes dropped EXE
        
        PID:1076

C:\Windows\SysWOW64\timeout.exe
timeout 60
1⤵
- Delays execution with timeout.exe
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe

Filesize
47KB

MD5
a54b7f580b214fe5bcec8a5c69f02b2d

SHA1
d61edbaec7dabab090d2a7b43bd4e5cfb5944712

SHA256
d2b80145ce8486d2083c1ae89a99eeda9a6251957d8d3316666d6aa031a9a6e2

SHA512
3586dc18cad2eb1dc27fe90190c0b76e667a2262b5631d2a269b03988cadc092a8fe917a450da48a551b3f7dd875a1695e8aca324c5649a98ce611eb701597cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe

Filesize
47KB

MD5
a54b7f580b214fe5bcec8a5c69f02b2d

SHA1
d61edbaec7dabab090d2a7b43bd4e5cfb5944712

SHA256
d2b80145ce8486d2083c1ae89a99eeda9a6251957d8d3316666d6aa031a9a6e2

SHA512
3586dc18cad2eb1dc27fe90190c0b76e667a2262b5631d2a269b03988cadc092a8fe917a450da48a551b3f7dd875a1695e8aca324c5649a98ce611eb701597cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
95.1MB

MD5
1d282828f2c489573dd51bc65d568cba

SHA1
6b5fc497ecf4c1d0e91c56ed46355bad3dd7e78d

SHA256
92ad4b806e935ad0026b5b5aa9112c07890a198922568e53b0a75a706d68a085

SHA512
ce926c2d41a1d068e684e5025657c4e36d11c5b6618345b4ff4369bcca58d2c8deaba1ff0e0ac5fa936b46717f77f66b2d6f1fe9ddbe316af7c02691d53d5b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fds333333333333333.bat

Filesize
55B

MD5
78d34993a3f671785ab9ad1097e6620e

SHA1
ff600ffda2d8661cba3f1352b6df9eeff39c3b10

SHA256
988bf35e06ed737cff745ce0b33df976634072586148fba37f8056b294c0404c

SHA512
d3491ca6825c5f0b9ed4d345cc7627a752b04ab5c1f638c9a921c7619e8c08029e4d56bf773012baa232d76964dc41af6d0f54712d5671b3bc9eabc10f710cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat

Filesize
64B

MD5
d930ae56d269e8cbf42a884838a1940f

SHA1
86b54cc38ea58a602a8418c256deac72ef7bda95

SHA256
4cab9b91745224c84bf43bd0702d6754f311f0a0c62669311d05038c3fc06d32

SHA512
db647a3a570981b5171d8b97c32ded9a01ec14dd96b79a483d794fa53c11373324a01e28565f67d27c89edace73435fe875f7462f52c57e207390adaec16ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe

Filesize
134.3MB

MD5
985d828757f43c736a16bb371ef97127

SHA1
0f7bd9510c99507a8ef60d09be550cdacde1063a

SHA256
be5aee37104d104f42df7da28154979d41faefabb77721124548ce5c2d255aa4

SHA512
c598f35f232fde3ae2c08dfb4fbd90fcc1282db709e345a829c86c264d256a8b758d775c5586136ab8b5e81505a6c8de3cde6f921902baa39552e528c8e7d3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe

Filesize
145.1MB

MD5
295ef573afae9e8c6d6de2ce04509e2a

SHA1
bffe07e6abea4bd0cc40b53c45df83d3531b8180

SHA256
cd7d348da16e8fa9d4fbda4449eab0eeac54044f2d047df416aa348c983341d8

SHA512
8237d1324b7b9e999b071509086e96df7e2bb33b6d6953bfe1b359f88ebb18978f67215c15ccaa73e7202f7d64f429f36d7b1aea6ee4f03c6536832f607281ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
84.6MB

MD5
586c55b7b4acb089b755accde42054e6

SHA1
0ad2f1ca28050cbdf1b887090c67ccceb6d64b59

SHA256
1ae01d48ef665361ea9943278cf519c01046e5144aeb36b48e1e16c3e9964012

SHA512
340e09935cdee89b558ab1687ba626151be7aaa6f64be7604a03e2348b289dfa9d50fba13c8d55fd42eb55a238653f6e3ca1e05a279ce9a70e2ecdc848c6e6a1

Download Submit
\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe

Filesize
47KB

MD5
a54b7f580b214fe5bcec8a5c69f02b2d

SHA1
d61edbaec7dabab090d2a7b43bd4e5cfb5944712

SHA256
d2b80145ce8486d2083c1ae89a99eeda9a6251957d8d3316666d6aa031a9a6e2

SHA512
3586dc18cad2eb1dc27fe90190c0b76e667a2262b5631d2a269b03988cadc092a8fe917a450da48a551b3f7dd875a1695e8aca324c5649a98ce611eb701597cd

Download Submit
\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
202.6MB

MD5
3ec1c57feb87a8b222e2e138f6db24ef

SHA1
f47ba39f534f6ababe72219b7ebd3e2ca966afd3

SHA256
99cbf3a764f5bfe51d26e6d2131ed6d068923452e85e1b30ff6f7cdab7211a9d

SHA512
ce22be04392f5df87287540e9150876ff0a1dc8924265830f8fbcb171b25ef8214e5cf4b58752d220db4cee9a6324e53d19cee2c6d0311bf8082300e1a176a59

Download Submit
\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
191.6MB

MD5
2d82ed460bfe329caf1beb1bd404e126

SHA1
f6a66f0066bfa71bf841a0a730dd11f34185306e

SHA256
4d7fe933101de319d5d98c1b0ec485f94024bbad15d25e55fbd7ed4aafa19fa2

SHA512
a8e844917007f03024d5c8bae7e66ec8798e81d3c380cb357603bb00d5159842b13cda5ab216e568e8265178e5e328de38dd69c172545a747171c86668b1292d

Download Submit
\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
197.1MB

MD5
7ef0d517f5156279aca0650d2c3fc16e

SHA1
59c96fecb6b27378ac6f5bc011e8800cb05c81a2

SHA256
13b4f3cdfb115634f2bf8f1386268058a87d35a89a1ccacbbe00ed75b39bc15d

SHA512
d2dafb9b2b13b4550a8b7cd869bf88c5b25de9a8ff40275fbcfbd3a8f71b26434d9fa40bf5fefbe07eff67de9ea0e4ff12694572f4ab2708bbfa98bf79bedf3f

Download Submit
\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
189.4MB

MD5
8a2f9aa53b1a7ece31518c7a164e7d25

SHA1
742a15b536f8d4cc28104116442b6b074ef77d38

SHA256
ed83592c7963b8b8d0dfa1fb2f23250a24f79817faa09bf79d431f131184ca43

SHA512
3014c7367974b2bcda3f0607f91ab621b04d38014a6e03efabe88ef3e724786053313923e1a7efc7e323dd6abacc89b673d1fe3b85f4bb7ce735eff72b996199

Download Submit
\Users\Admin\AppData\Local\Temp\nig1r21312312.exe

Filesize
161.2MB

MD5
16313a2f73b8e8bead99d7a3dd9fab33

SHA1
67d94dbd9fe682f087656241afe359e29f1d8c08

SHA256
d89aed623296ae05b7c8e8e07bacefe2d11c1fea1ea72822e3d947ecd439a530

SHA512
4569df721b464a209e33fb2913a6c589e428bf2e28535a198059e4737ecb2c638004391b210b0d52b0e3ef67edd6c3634d33b5eed774e541a61ca5752b58b15e

Download Submit
\Users\Admin\AppData\Local\Temp\nig1r21312312.exe

Filesize
160.4MB

MD5
ceec7ac521e48c9be0f3612e93fc3470

SHA1
bb7fb7e88e403d7c8d688ed2a2669c553d61e951

SHA256
ebe9bf6457fc5983726a23d9498a8f7010647c7cd2c46ca0733c95d1ca47bdbd

SHA512
9f4c93a7240c34fdd050f16b368a10367a631332d887c6b9ddaa15a857ea705d92a6f5fcef70432ae9f394330216dcdca0815d0fc90da0c698e3d82b6bc580cd

Download Submit
\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
84.7MB

MD5
65e73b2d6f0c0afe8732b5aaefef021c

SHA1
d913ca6b9662ef22c6aee5b23a6ecf5a9e11de0e

SHA256
94461327c0617a010e7d022766b253b1945c640e4ad665751f996a226f318caf

SHA512
e413f8109fc4904eaebe0fe5d5dced45dc91733235424c80d9b52ec8679baa5d547c7d52907b9956d6bdc5a39f2c12b6c0f11bbd1953665ab42e576004a89b97

Download Submit
\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
84.6MB

MD5
7516d13a45a3afced3e28f4c978fe320

SHA1
faea0c0fad652e7c0246092c71f61e89b26f2cb6

SHA256
ca2c2da8ff5e1b3542e441dbc6cf08a6970fd4824de4a22a15b2bedc19b2f240

SHA512
5c2d91ffc791cd662adc06aff67bf7b07e8e285ca076f7ef8d8e6809df1f6b87f9b334961c3433f73ed3fe33651969f9e0dbad6bb1adb4a4dae113399124c576

Download Submit
\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
84.8MB

MD5
a012ed172e8a235387e886a5e94b8c50

SHA1
f612b91c07874e3a2ef17387e2344e1eb83766a4

SHA256
5ef005b5b911b2b67b8e0f27c7f20ea2c1f248cfe21732536255c9d3d5d46d74

SHA512
2d595a5421d8f73f15f48703755ceba252dfac10421481b56b1d3bcbbc778116634727403ec0d2c2a2207b5bb9f7cb0b95307764da11a9e11d56849bec5bbfab

Download Submit
\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
84.5MB

MD5
32afc6fe0cad85572258420caf33e72b

SHA1
40dcc3f6af798c22c833a58f0168f37ed4b3b912

SHA256
cb8c9ab098d89101ffeaccde95f6b0712b71f3c0a5816fb43d14ff9a773d79db

SHA512
31c4251fac04d12ff5c7ad35201e1fe345bcc6faa1413df1c45f844a65b95018064a7b1b82fd178135602805047488fec4a2d80babeac8a236ce513bf0082b71

Download Submit
memory/364-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1076-94-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/1496-79-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1496-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1496-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1496-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1884-77-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download