redline | ed58b879ba33504b8994151c6bb34ce81d2b2f41645da9ffe4431375ed2328fd

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/01/2023, 13:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.1MB
MD5

20b59285f6427a8052410595ecd699d4
SHA1

e11acaff7f7b25c8c04b011979f57e0c82df83bc
SHA256

ed58b879ba33504b8994151c6bb34ce81d2b2f41645da9ffe4431375ed2328fd
SHA512

04ae97a361ec16c3f87a961563dc0483d44eef31be937c791bf06f1a19717121615f27be556294482b5f69ddcc4ce37a9dbe05c978e93a4a89cd143251bf25a9
SSDEEP

49152:V5OyUCmRByfzvY1gep8iIzjtv8QOIo1xH5KMvLuW:V54CCBcvY+ziIXtv8HIonZ7

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.210.137.6:47909

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1888	123.exe
1040	321.exe

Loads dropped DLL 12 IoCs

pid	Process
1480	file.exe
1480	file.exe
1480	file.exe
1480	file.exe
1480	file.exe
1480	file.exe
1148	WerFault.exe
1148	WerFault.exe
1148	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 1652	1888	123.exe	32
PID 1040 set thread context of 1860	1040	321.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1148	1888	WerFault.exe	28
564	1040	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	vbc.exe
1652	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1888	1480	file.exe	28
PID 1480 wrote to memory of 1888	1480	file.exe	28
PID 1480 wrote to memory of 1888	1480	file.exe	28
PID 1480 wrote to memory of 1888	1480	file.exe	28
PID 1480 wrote to memory of 1040	1480	file.exe	30
PID 1480 wrote to memory of 1040	1480	file.exe	30
PID 1480 wrote to memory of 1040	1480	file.exe	30
PID 1480 wrote to memory of 1040	1480	file.exe	30
PID 1888 wrote to memory of 1652	1888	123.exe	32
PID 1888 wrote to memory of 1652	1888	123.exe	32
PID 1888 wrote to memory of 1652	1888	123.exe	32
PID 1888 wrote to memory of 1652	1888	123.exe	32
PID 1888 wrote to memory of 1652	1888	123.exe	32
PID 1888 wrote to memory of 1652	1888	123.exe	32
PID 1888 wrote to memory of 1148	1888	123.exe	33
PID 1888 wrote to memory of 1148	1888	123.exe	33
PID 1888 wrote to memory of 1148	1888	123.exe	33
PID 1888 wrote to memory of 1148	1888	123.exe	33
PID 1040 wrote to memory of 1860	1040	321.exe	34
PID 1040 wrote to memory of 1860	1040	321.exe	34
PID 1040 wrote to memory of 1860	1040	321.exe	34
PID 1040 wrote to memory of 1860	1040	321.exe	34
PID 1040 wrote to memory of 1860	1040	321.exe	34
PID 1040 wrote to memory of 1860	1040	321.exe	34
PID 1040 wrote to memory of 564	1040	321.exe	35
PID 1040 wrote to memory of 564	1040	321.exe	35
PID 1040 wrote to memory of 564	1040	321.exe	35
PID 1040 wrote to memory of 564	1040	321.exe	35
PID 1860 wrote to memory of 1984	1860	vbc.exe	36
PID 1860 wrote to memory of 1984	1860	vbc.exe	36
PID 1860 wrote to memory of 1984	1860	vbc.exe	36
PID 1860 wrote to memory of 1984	1860	vbc.exe	36

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\Temp\123.exe
  "C:\Windows\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 48
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1148
- C:\Windows\Temp\321.exe
  "C:\Windows\Temp\321.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 48
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
C:\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
\Windows\Temp\123.exe

Filesize
400KB

MD5
f8e18e56a94293be868cf74cd749f4ab

SHA1
fe0fc2aefee466159e00db97c1b92c7f2c961f9d

SHA256
65ff7af43665cb3d30304e6b0149815f4efa778b7acab768c8e393b7b3bf0a70

SHA512
b4ce36ed67227335195fac1c4c2701b0bb944f76fefbfc592b0c8ea23f75b00503ec4776444bbd4912ebfe994a18336ef35296a460ebd1ff9b72c6a8543c673d

Download Submit
\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
\Windows\Temp\321.exe

Filesize
2.8MB

MD5
d967ef9e4f71a00ad98b228554322e17

SHA1
4cce0cf45054fad3aadaf8e288ac46172a14e968

SHA256
60dd8000329c5890b88049fcac58408bd6419756311f9ff95ffb69bfb68f81a0

SHA512
86f951c6dbf3fdf91a9c5ab695ea1799f6f081f7cf3b04d3661f4b01d5af38cf77d0966776d3bcef566b1f7243a24bfeb708c4c292a5271cbcce07c1bdaf6d4e

Download Submit
memory/1480-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1652-73-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1652-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1860-80-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1860-82-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1860-98-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download