redline | 95702883e883a7fa3f7f20ecf6713b03cd00469644d777b73f36351db97ef3c2

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.1MB
MD5

d1433f5b2eada044678af57d87ee31e5
SHA1

0493152ee8d18335fa5043be0f80d12331f2ea00
SHA256

95702883e883a7fa3f7f20ecf6713b03cd00469644d777b73f36351db97ef3c2
SHA512

80dcff2d4e4001d8adb4eff0963921e4335c80bde476492996e74762918663bc84627ae9ca73023f75f799143d3101939ce0a599fafa164f9750481e4bb680c2
SSDEEP

49152:V5OaOl3UYvrbFueD40EJbAXOUghn/WsAXZ//t:V59Q3UYvrBusTM8OUgNLY

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

51.210.137.6:47909

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1088	123.exe
1804	321.exe

Loads dropped DLL 12 IoCs

pid	Process
1988	file.exe
1988	file.exe
1988	file.exe
1988	file.exe
1988	file.exe
1988	file.exe
1684	WerFault.exe
1684	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1684	WerFault.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 1564	1088	123.exe	30
PID 1804 set thread context of 1744	1804	321.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1684	1088	WerFault.exe	26
1044	1804	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1564	vbc.exe
1564	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1088	1988	file.exe	26
PID 1988 wrote to memory of 1088	1988	file.exe	26
PID 1988 wrote to memory of 1088	1988	file.exe	26
PID 1988 wrote to memory of 1088	1988	file.exe	26
PID 1988 wrote to memory of 1804	1988	file.exe	28
PID 1988 wrote to memory of 1804	1988	file.exe	28
PID 1988 wrote to memory of 1804	1988	file.exe	28
PID 1988 wrote to memory of 1804	1988	file.exe	28
PID 1088 wrote to memory of 1564	1088	123.exe	30
PID 1088 wrote to memory of 1564	1088	123.exe	30
PID 1088 wrote to memory of 1564	1088	123.exe	30
PID 1088 wrote to memory of 1564	1088	123.exe	30
PID 1088 wrote to memory of 1564	1088	123.exe	30
PID 1088 wrote to memory of 1564	1088	123.exe	30
PID 1088 wrote to memory of 1684	1088	123.exe	31
PID 1088 wrote to memory of 1684	1088	123.exe	31
PID 1088 wrote to memory of 1684	1088	123.exe	31
PID 1088 wrote to memory of 1684	1088	123.exe	31
PID 1804 wrote to memory of 1744	1804	321.exe	32
PID 1804 wrote to memory of 1744	1804	321.exe	32
PID 1804 wrote to memory of 1744	1804	321.exe	32
PID 1804 wrote to memory of 1744	1804	321.exe	32
PID 1804 wrote to memory of 1744	1804	321.exe	32
PID 1804 wrote to memory of 1744	1804	321.exe	32
PID 1804 wrote to memory of 1044	1804	321.exe	33
PID 1804 wrote to memory of 1044	1804	321.exe	33
PID 1804 wrote to memory of 1044	1804	321.exe	33
PID 1804 wrote to memory of 1044	1804	321.exe	33
PID 1744 wrote to memory of 1688	1744	vbc.exe	34
PID 1744 wrote to memory of 1688	1744	vbc.exe	34
PID 1744 wrote to memory of 1688	1744	vbc.exe	34
PID 1744 wrote to memory of 1688	1744	vbc.exe	34

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\Temp\123.exe
  "C:\Windows\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 48
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1684
- C:\Windows\Temp\321.exe
  "C:\Windows\Temp\321.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 48
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
C:\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
\Windows\Temp\123.exe

Filesize
1.0MB

MD5
ae771c1de075bbc19c94c282dd0d700f

SHA1
01e03ffabc07e03a87e0153e7f0f473a17180d6a

SHA256
ed827b19c613303aea51290ec4554626883a89a17c37c6f6707221cf77cf5ed3

SHA512
1a8e92df2210089e9ee8a85c259c8fb5ba1806cb8174e73a1fc41a8574fe5a0cc44eafe5ab0c67807ef1362e4d461b4fdbeb1af16d2547289c172d4a4ff5b3a8

Download Submit
\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
\Windows\Temp\321.exe

Filesize
3.4MB

MD5
ef82992004a4ecb5d8d938253afce558

SHA1
358ff0331fc36fc1871225bc11a5011f72949d7c

SHA256
11d2605286141b6f88413e09599d6de68d1ef1f291c73a6198397c5b99baede7

SHA512
59f0a00078a6330e1395029e7ede525fdfb086543dbb50f0556f1657bc9f007986703e2f59a0581d91ef4315f370779d06312d052cd8139f439c9d1b8a06247b

Download Submit
memory/1564-73-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1564-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1564-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1564-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1744-78-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1744-80-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1744-96-0x0000000000400000-0x0000000000690000-memory.dmp

Filesize
2.6MB

Download
memory/1988-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download