redline | 0fc4d502fce6b9f13c09f38ab651462d6fa8a29316b55f9920466e9283463191

Analysis

max time kernel
276s
max time network
210s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeSoft.exe
Size

6.9MB
MD5

b8c2aef5c38e827a7773c2efd0cfe310
SHA1

034f756417bd03d18e30df3ec75e8c34fd2e938d
SHA256

45589cbb6d70380b112446fdea6643da47100c6699b130f9b99bcc24cae0e140
SHA512

46d0f74b5184d98cf91c7f53d2f8d66cf4f3789935a197f520a5cbdb6f968e13c2da81846640603cea56e51b8d936cc155074dfa1676245657052412a7d2d783
SSDEEP

98304:YcoBjotiA6IZZnV2wRi1RBYZsTBrHJWGs2NyqeoNE/7SRYY2VymGu/m6zHAlA649:ejOp6IZawo1/YGTVHJack+YlGlSRRB

Score

10^/10

redline 5637482599 infostealer infostealer_generic spyware

Malware Config

Extracted

Family

redline

Botnet

5637482599

https://pastebin.com/raw/NgsUAPya

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Find unpacked information stealer based on possible SQL query to retrieve broswer data 2 IoCs

Detects infostealer.

infostealer_generic

resource	yara_rule
behavioral1/memory/1828-257-0x0000000000400000-0x000000000041E000-memory.dmp	infostealer_generic_browser_sql
behavioral1/memory/1828-261-0x00000000021B0000-0x00000000021F0000-memory.dmp	infostealer_generic_browser_sql

Executes dropped EXE 1 IoCs

pid	Process
1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe

Loads dropped DLL 3 IoCs

pid	Process
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1984	1620	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1828	InstallUtil.exe
1828	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
860	javaw.exe
860	javaw.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 860	1228	WeSoft.exe	28
PID 1228 wrote to memory of 860	1228	WeSoft.exe	28
PID 1228 wrote to memory of 860	1228	WeSoft.exe	28
PID 1228 wrote to memory of 860	1228	WeSoft.exe	28
PID 860 wrote to memory of 1704	860	javaw.exe	29
PID 860 wrote to memory of 1704	860	javaw.exe	29
PID 860 wrote to memory of 1704	860	javaw.exe	29
PID 860 wrote to memory of 1704	860	javaw.exe	29
PID 1612 wrote to memory of 1620	1612	explorer.exe	31
PID 1612 wrote to memory of 1620	1612	explorer.exe	31
PID 1612 wrote to memory of 1620	1612	explorer.exe	31
PID 1612 wrote to memory of 1620	1612	explorer.exe	31
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1828	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	33
PID 1620 wrote to memory of 1984	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	34
PID 1620 wrote to memory of 1984	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	34
PID 1620 wrote to memory of 1984	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	34
PID 1620 wrote to memory of 1984	1620	YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe	34

C:\Users\Admin\AppData\Local\Temp\WeSoft.exe
"C:\Users\Admin\AppData\Local\Temp\WeSoft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\WeSoft.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe
    3⤵
    PID:1704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe
  "C:\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 52
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe

Filesize
1.2MB

MD5
663913cbcfbc87ae65bd051a43871ba7

SHA1
1c5d4d23d2013b73143a6a8458c1bf2de6c8941a

SHA256
ec6a84ee0f2d3fde8ae9722090b76cb2925cc13f09291d50161b7076c447b7e8

SHA512
edd4823945e9b23c48dd77f5100dc9c4707332b2b989cccd676e6196b4aeecfc4130d7c1ed3ddfb7f121097d7c8501b685b6b0550b77a734682c1334132e253b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe

Filesize
1.2MB

MD5
663913cbcfbc87ae65bd051a43871ba7

SHA1
1c5d4d23d2013b73143a6a8458c1bf2de6c8941a

SHA256
ec6a84ee0f2d3fde8ae9722090b76cb2925cc13f09291d50161b7076c447b7e8

SHA512
edd4823945e9b23c48dd77f5100dc9c4707332b2b989cccd676e6196b4aeecfc4130d7c1ed3ddfb7f121097d7c8501b685b6b0550b77a734682c1334132e253b

Download Submit
\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe

Filesize
1.2MB

MD5
663913cbcfbc87ae65bd051a43871ba7

SHA1
1c5d4d23d2013b73143a6a8458c1bf2de6c8941a

SHA256
ec6a84ee0f2d3fde8ae9722090b76cb2925cc13f09291d50161b7076c447b7e8

SHA512
edd4823945e9b23c48dd77f5100dc9c4707332b2b989cccd676e6196b4aeecfc4130d7c1ed3ddfb7f121097d7c8501b685b6b0550b77a734682c1334132e253b

Download Submit
\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe

Filesize
1.2MB

MD5
663913cbcfbc87ae65bd051a43871ba7

SHA1
1c5d4d23d2013b73143a6a8458c1bf2de6c8941a

SHA256
ec6a84ee0f2d3fde8ae9722090b76cb2925cc13f09291d50161b7076c447b7e8

SHA512
edd4823945e9b23c48dd77f5100dc9c4707332b2b989cccd676e6196b4aeecfc4130d7c1ed3ddfb7f121097d7c8501b685b6b0550b77a734682c1334132e253b

Download Submit
\Users\Admin\AppData\Local\Temp\YjFjOWM1YzM0ZmFhMWY2MzA4ZTBkMTA5M2EyN2IzMGQ.exe

Filesize
1.2MB

MD5
663913cbcfbc87ae65bd051a43871ba7

SHA1
1c5d4d23d2013b73143a6a8458c1bf2de6c8941a

SHA256
ec6a84ee0f2d3fde8ae9722090b76cb2925cc13f09291d50161b7076c447b7e8

SHA512
edd4823945e9b23c48dd77f5100dc9c4707332b2b989cccd676e6196b4aeecfc4130d7c1ed3ddfb7f121097d7c8501b685b6b0550b77a734682c1334132e253b

Download Submit
memory/860-123-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-211-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-130-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-139-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-140-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-141-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-143-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-165-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-168-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-178-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-186-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-84-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-215-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-120-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-122-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-121-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/860-118-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1228-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1828-257-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1828-261-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/1828-274-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download