redline | bc3806f66884b0cca0e04cd6ec09f391f5ea3855e3ce6bd621e04706ece5e6ed

General

Target

tmp.exe
Size

1.6MB
MD5

e5f500ae2fdb4ab9f6be5475964ec5c7
SHA1

a9227afc32e5ce7722c8927f4c3f8c7b26da9923
SHA256

bc3806f66884b0cca0e04cd6ec09f391f5ea3855e3ce6bd621e04706ece5e6ed
SHA512

768916e73c77bed2394e428621ae39521f8ebcff2a4b367f9ae1510165aacb1f29a04953845a8026f3f5ee10123cadbf929e3b2ed0117f6f3b8c9d13e681c366
SSDEEP

49152:OhWTfPjDurtiIIMmk7Shxtj+EXQW054yobLhT:rDXInmGShDJXQW054yqhT

Score

10^/10

redline vidar ba1fc89d9f7df84dadf34886aabb246c mix1 infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

mix1

C2

80.85.157.78:13331

Attributes

auth_value
4f9b36b8bfdf2607d3f0e623584037e2

Extracted

Family

vidar

Version

3.1

Botnet

ba1fc89d9f7df84dadf34886aabb246c

C2

https://t.me/owned001

http://65.109.236.2:80

https://t.me/tabootalks

https://steamcommunity.com/profiles/76561199472266392

http://135.181.26.183:80

Attributes

profile_id_v2
ba1fc89d9f7df84dadf34886aabb246c
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 OPR/91.0.4516.79

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1468 created 2424 1468 tmp.exe taskhostw.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Loads dropped DLL 3 IoCs

Processes:

tmp.exefontview.exe

pid process

1468 tmp.exe
1180 fontview.exe
1180 fontview.exe
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1468 set thread context of 5080 1468 tmp.exe ngentask.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2068 1180 WerFault.exe fontview.exe

description	pid	process	target process
PID 1468 created 2424	1468	tmp.exe	taskhostw.exe

description	pid	process	target process
PID 1468 set thread context of 5080	1468	tmp.exe	ngentask.exe

pid	pid_target	process	target process
2068	1180	WerFault.exe	fontview.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fontview.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fontview.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fontview.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

tmp.exengentask.exefontview.exe

pid	process
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
1468	tmp.exe
5080	ngentask.exe
5080	ngentask.exe
1180	fontview.exe
1180	fontview.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ngentask.exe

description pid process

Token: SeDebugPrivilege 5080 ngentask.exe

description	pid	process
Token: SeDebugPrivilege	5080	ngentask.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1468 wrote to memory of 5000	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5000	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5000	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5080	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5080	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5080	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5080	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 5080	1468	tmp.exe	ngentask.exe
PID 1468 wrote to memory of 1180	1468	tmp.exe	fontview.exe
PID 1468 wrote to memory of 1180	1468	tmp.exe	fontview.exe
PID 1468 wrote to memory of 1180	1468	tmp.exe	fontview.exe
PID 1468 wrote to memory of 1180	1468	tmp.exe	fontview.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2424

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1556
3⤵
- Program crash
PID:2068

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1180 -ip 1180
1⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\240552906.dll
Filesize
566KB

MD5
87a0c31ef2e03ee553605ca1bebbd354

SHA1
19c69d245f75814f495beb4770c55f0c9003b53c

SHA256
4e6a47c072dc87cc310995ebdf10db5d76fa180e8ce8a0909db751121927afff

SHA512
fe08f217bfa56d003eb174de9e1418384989da71ab6b504893b3ee88da975da9e2b593afc4213be3c1054f2ba7d62003cbb34dcea3644d85d1db6817d5815a76

Download Submit
memory/1180-167-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1180-237-0x0000000000E00000-0x0000000000E6D000-memory.dmp

Filesize
436KB

Download
memory/1180-236-0x0000000000E00000-0x0000000000E6D000-memory.dmp

Filesize
436KB

Download
memory/1180-142-0x0000000000E00000-0x0000000000E6D000-memory.dmp

Filesize
436KB

Download
memory/1180-235-0x0000000000E00000-0x0000000000E6D000-memory.dmp

Filesize
436KB

Download
memory/1468-134-0x000000000F910000-0x000000000FA5A000-memory.dmp

Filesize
1.3MB

Download
memory/5080-145-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/5080-164-0x0000000008A50000-0x0000000008F7C000-memory.dmp

Filesize
5.2MB

Download
memory/5080-159-0x0000000007920000-0x00000000079B2000-memory.dmp

Filesize
584KB

Download
memory/5080-160-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/5080-161-0x0000000007AC0000-0x0000000007B36000-memory.dmp

Filesize
472KB

Download
memory/5080-162-0x0000000007B40000-0x0000000007B90000-memory.dmp

Filesize
320KB

Download
memory/5080-163-0x0000000007D60000-0x0000000007F22000-memory.dmp

Filesize
1.8MB

Download
memory/5080-158-0x0000000007810000-0x0000000007876000-memory.dmp

Filesize
408KB

Download
memory/5080-165-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/5080-148-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/5080-147-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/5080-146-0x0000000007440000-0x0000000007452000-memory.dmp

Filesize
72KB

Download
memory/5080-144-0x0000000005BA0000-0x00000000061B8000-memory.dmp

Filesize
6.1MB

Download
memory/5080-137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5080-135-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads