redline | 9fbc398697579871e9ed351b5874acacb8b435178b32ff6506a03e5738b2e75f

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-04-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88c37f1bb15fcbe857ee8c4d526153f.exe
Size

1.9MB
MD5

e88c37f1bb15fcbe857ee8c4d526153f
SHA1

c52537d8b02f5c9c9ea40f78a7e2c9f8dc78225b
SHA256

9fbc398697579871e9ed351b5874acacb8b435178b32ff6506a03e5738b2e75f
SHA512

8065ee3b4fd2130549f016c5accb5f8347812b2b0cf6cc97bf712e6b34d30d3dd893dbcf250db60bd0d17550e36462dce4d3ae33858007af2e19e7ad71e44164
SSDEEP

49152:IBJ/2XAf/cdSy4ihSiudHKWw7YYlMDFUjcgbeR:ywXI0c5icLKJEYlIFicWe

Score

10^/10

redline red infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

RED

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
1320	cqb3grs.exe

Loads dropped DLL 7 IoCs

pid	Process
1708	e88c37f1bb15fcbe857ee8c4d526153f.exe
1708	e88c37f1bb15fcbe857ee8c4d526153f.exe
1708	e88c37f1bb15fcbe857ee8c4d526153f.exe
1708	e88c37f1bb15fcbe857ee8c4d526153f.exe
292	WerFault.exe
292	WerFault.exe
292	WerFault.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 884	1320	cqb3grs.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
292	1320	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	RegSvcs.exe
884	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1320	1708	e88c37f1bb15fcbe857ee8c4d526153f.exe	28
PID 1708 wrote to memory of 1320	1708	e88c37f1bb15fcbe857ee8c4d526153f.exe	28
PID 1708 wrote to memory of 1320	1708	e88c37f1bb15fcbe857ee8c4d526153f.exe	28
PID 1708 wrote to memory of 1320	1708	e88c37f1bb15fcbe857ee8c4d526153f.exe	28
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 884	1320	cqb3grs.exe	30
PID 1320 wrote to memory of 292	1320	cqb3grs.exe	31
PID 1320 wrote to memory of 292	1320	cqb3grs.exe	31
PID 1320 wrote to memory of 292	1320	cqb3grs.exe	31
PID 1320 wrote to memory of 292	1320	cqb3grs.exe	31

C:\Users\Admin\AppData\Local\Temp\e88c37f1bb15fcbe857ee8c4d526153f.exe
"C:\Users\Admin\AppData\Local\Temp\e88c37f1bb15fcbe857ee8c4d526153f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 72
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cqb3grs.exe

Filesize
1.3MB

MD5
3681076e0468f402f6a12e9d586c24b1

SHA1
92d9039e76ad9166b00d38100994f86ad712818d

SHA256
e6c6df931d2d1b58840c66475e55e659146cc677dd1a90adbbb160911169329f

SHA512
5615fc46b28796034a2120a69113e5e18d94545b88370384ae0807090300b1c73a130a9e8e3ce8fe6f6e9148f6944a5f0fc0bccece84206b94b25be30cd73828

Download Submit
memory/884-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/884-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/884-81-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/884-75-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/884-74-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/884-86-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/884-87-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/884-88-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download