redline | bc0c6f3edcce5f2b15ce4c6f1dbb391c8379693ddf7532462f33857eb6f0ffbd

General

Target

Camtasia.exe
Size

701.0MB
MD5

3edabce0833a1fe15dcf374c29ad293e
SHA1

68aec7add651fcb8597a0b5e5943b9bc460e4875
SHA256

bc0c6f3edcce5f2b15ce4c6f1dbb391c8379693ddf7532462f33857eb6f0ffbd
SHA512

1f34ff99afd072fea608cc52887f1d11726bf02c043d76cee24403a6f4bfa18e9ef7bbe916a31dae5600a5e9fa0785bd48836788306f4211dd24096b9e2a58db
SSDEEP

3072:q1/3moQkgU0CwlvwReBFpkVLSYrVEWYw+QeTOUD69qjiwcI/s2o7Pn9SgOStEWLU:yWxNv+eyOq+JTDaq2Jf2mnAgNfSVLD

Score

10^/10

redline yt infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

yt

C2

65.109.139.121:28859

Attributes

auth_value
c85b149d6d3359b3fe4dd1dfcc5864e8

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Camtasia.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation Camtasia.exe
Executes dropped EXE 1 IoCs

Processes:

TrashExe (1).exe

pid process

5012 TrashExe (1).exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Camtasia.exe

description pid process target process

PID 2152 set thread context of 4580 2152 Camtasia.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

4580 vbc.exe
4580 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 4580 vbc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Camtasia.exe

pid	process
5012	TrashExe (1).exe

description	pid	process	target process
PID 2152 set thread context of 4580	2152	Camtasia.exe	vbc.exe

pid	process
4580	vbc.exe
4580	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4580	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Camtasia.exe

description	pid	process	target process
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 4580	2152	Camtasia.exe	vbc.exe
PID 2152 wrote to memory of 5012	2152	Camtasia.exe	TrashExe (1).exe
PID 2152 wrote to memory of 5012	2152	Camtasia.exe	TrashExe (1).exe
PID 2152 wrote to memory of 5012	2152	Camtasia.exe	TrashExe (1).exe

C:\Users\Admin\AppData\Local\Temp\Camtasia.exe
"C:\Users\Admin\AppData\Local\Temp\Camtasia.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe
"C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe"
2⤵
- Executes dropped EXE
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe
Filesize
3KB

MD5
43c14a07b0a83cb0ade9f7da7b0ca394

SHA1
79d457fc5c171c3677c50d19e7df3baf5f1311a8

SHA256
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

SHA512
9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe
Filesize
3KB

MD5
43c14a07b0a83cb0ade9f7da7b0ca394

SHA1
79d457fc5c171c3677c50d19e7df3baf5f1311a8

SHA256
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

SHA512
9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrashExe (1).exe
Filesize
3KB

MD5
43c14a07b0a83cb0ade9f7da7b0ca394

SHA1
79d457fc5c171c3677c50d19e7df3baf5f1311a8

SHA256
3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

SHA512
9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

Download Submit
memory/2152-134-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2152-154-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2152-133-0x00000000007C0000-0x0000000000802000-memory.dmp

Filesize
264KB

Download
memory/4580-139-0x0000000005090000-0x00000000050A2000-memory.dmp

Filesize
72KB

Download
memory/4580-155-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/4580-148-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4580-138-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/4580-137-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/4580-161-0x0000000006A10000-0x0000000006A86000-memory.dmp

Filesize
472KB

Download
memory/4580-135-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4580-147-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/4580-156-0x00000000061D0000-0x0000000006774000-memory.dmp

Filesize
5.6MB

Download
memory/4580-157-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4580-158-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4580-159-0x0000000006B50000-0x0000000006D12000-memory.dmp

Filesize
1.8MB

Download
memory/4580-160-0x0000000007250000-0x000000000777C000-memory.dmp

Filesize
5.2MB

Download
memory/4580-162-0x0000000006A90000-0x0000000006AE0000-memory.dmp

Filesize
320KB

Download
memory/5012-152-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing