redline | 7c8ca3c5b49dd473dbe777fb3aa2e7334b365a96c4b14dce896cde43b312b7a0

Analysis

max time kernel
1592s
max time network
1596s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2023, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Activator.exe
Size

316KB
MD5

7dff717a5c2b9aaf4fcdf8ea44faa271
SHA1

496df8baa3bf907345174d508f8e81d2a23f42c4
SHA256

7c8ca3c5b49dd473dbe777fb3aa2e7334b365a96c4b14dce896cde43b312b7a0
SHA512

00cfe44d792f7a748bc012d6ccb34a20422866d0a3e7ba05717b8c9176f780a6ea60ae0805d4b4595551d14534fbb365c0bd3c540da7799c6dac08bd9e06fa83
SSDEEP

6144:n356TgQ4WYbaiVkXI6wJIh6F94/Uw8Pcpnfofi/:n35ivicIfIhEs8PcJQf+

Score

10^/10

redline @chrisdime_lolz infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@chrisdime_lolz

94.142.138.4:80

Attributes

auth_value
32fa7bda17aaeffb37e9d4f406b903f4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 3612	2028	Activator.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4480	2028	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	AppLaunch.exe
3612	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3612	2028	Activator.exe	84
PID 2028 wrote to memory of 3612	2028	Activator.exe	84
PID 2028 wrote to memory of 3612	2028	Activator.exe	84
PID 2028 wrote to memory of 3612	2028	Activator.exe	84
PID 2028 wrote to memory of 3612	2028	Activator.exe	84

C:\Users\Admin\AppData\Local\Temp\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\Activator.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 512
  2⤵
  - Program crash
  PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2028 -ip 2028
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3612-134-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3612-139-0x00000000069C0000-0x0000000006FD8000-memory.dmp

Filesize
6.1MB

Download
memory/3612-140-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3612-141-0x0000000006610000-0x000000000671A000-memory.dmp

Filesize
1.0MB

Download
memory/3612-142-0x0000000006540000-0x0000000006552000-memory.dmp

Filesize
72KB

Download
memory/3612-143-0x00000000065A0000-0x00000000065DC000-memory.dmp

Filesize
240KB

Download
memory/3612-144-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/3612-145-0x0000000001570000-0x00000000015E6000-memory.dmp

Filesize
472KB

Download
memory/3612-146-0x00000000018B0000-0x0000000001942000-memory.dmp

Filesize
584KB

Download
memory/3612-147-0x0000000007580000-0x00000000075E6000-memory.dmp

Filesize
408KB

Download
memory/3612-148-0x000000000A420000-0x000000000A9C4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-149-0x00000000076F0000-0x0000000007740000-memory.dmp

Filesize
320KB

Download
memory/3612-150-0x0000000008600000-0x00000000087C2000-memory.dmp

Filesize
1.8MB

Download
memory/3612-151-0x000000000A9D0000-0x000000000AEFC000-memory.dmp

Filesize
5.2MB

Download