redline | 0fc4d502fce6b9f13c09f38ab651462d6fa8a29316b55f9920466e9283463191

Analysis

max time kernel
301s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeSoft.exe
Size

6.9MB
MD5

b8c2aef5c38e827a7773c2efd0cfe310
SHA1

034f756417bd03d18e30df3ec75e8c34fd2e938d
SHA256

45589cbb6d70380b112446fdea6643da47100c6699b130f9b99bcc24cae0e140
SHA512

46d0f74b5184d98cf91c7f53d2f8d66cf4f3789935a197f520a5cbdb6f968e13c2da81846640603cea56e51b8d936cc155074dfa1676245657052412a7d2d783
SSDEEP

98304:YcoBjotiA6IZZnV2wRi1RBYZsTBrHJWGs2NyqeoNE/7SRYY2VymGu/m6zHAlA649:ejOp6IZawo1/YGTVHJack+YlGlSRRB

Score

10^/10

redline 5637482599 infostealer infostealer_generic spyware

Malware Config

Extracted

Family

redline

Botnet

5637482599

https://pastebin.com/raw/NgsUAPya

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Find unpacked information stealer based on possible SQL query to retrieve broswer data 1 IoCs

Detects infostealer.

infostealer_generic

resource	yara_rule
behavioral2/memory/3980-407-0x0000000000400000-0x000000000041E000-memory.dmp	infostealer_generic_browser_sql

Executes dropped EXE 1 IoCs

pid	Process
2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4964	2416	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	InstallUtil.exe
3980	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1968	javaw.exe
1968	javaw.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1968	5080	WeSoft.exe	82
PID 5080 wrote to memory of 1968	5080	WeSoft.exe	82
PID 5080 wrote to memory of 1968	5080	WeSoft.exe	82
PID 1968 wrote to memory of 1232	1968	javaw.exe	90
PID 1968 wrote to memory of 1232	1968	javaw.exe	90
PID 1968 wrote to memory of 1232	1968	javaw.exe	90
PID 1916 wrote to memory of 2416	1916	explorer.exe	93
PID 1916 wrote to memory of 2416	1916	explorer.exe	93
PID 1916 wrote to memory of 2416	1916	explorer.exe	93
PID 2416 wrote to memory of 4708	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	96
PID 2416 wrote to memory of 4708	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	96
PID 2416 wrote to memory of 4708	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	96
PID 2416 wrote to memory of 4708	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	96
PID 2416 wrote to memory of 412	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	97
PID 2416 wrote to memory of 412	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	97
PID 2416 wrote to memory of 412	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	97
PID 2416 wrote to memory of 412	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	97
PID 2416 wrote to memory of 4948	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	98
PID 2416 wrote to memory of 4948	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	98
PID 2416 wrote to memory of 4948	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	98
PID 2416 wrote to memory of 4948	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	98
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99
PID 2416 wrote to memory of 3980	2416	YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe	99

C:\Users\Admin\AppData\Local\Temp\WeSoft.exe
"C:\Users\Admin\AppData\Local\Temp\WeSoft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\WeSoft.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe
    3⤵
    PID:1232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe
  "C:\Users\Admin\AppData\Local\Temp\YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 284
    3⤵
    - Program crash
    PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe

Filesize
1.2MB

MD5
0c41a7920a123b8814089411c78957cf

SHA1
184122fa16addd8517fd76e6bd39b0574866f515

SHA256
4fe12b1a81677e19f994a28e0f16f1883816b9eac73a2f19796a65e4673e88e5

SHA512
f4e6182ccf451f270a427c8d74b89dae29536e1bf91d380c483eda257e76d966167979eb83961d94da11fb9ad499ba1997bfb046cb434175a806f189d1a6f15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTgxNmMwOTkwYzYwMjJiMmFkMDcyNmYzOTcxYTkyMDA.exe

Filesize
1.2MB

MD5
0c41a7920a123b8814089411c78957cf

SHA1
184122fa16addd8517fd76e6bd39b0574866f515

SHA256
4fe12b1a81677e19f994a28e0f16f1883816b9eac73a2f19796a65e4673e88e5

SHA512
f4e6182ccf451f270a427c8d74b89dae29536e1bf91d380c483eda257e76d966167979eb83961d94da11fb9ad499ba1997bfb046cb434175a806f189d1a6f15f

Download Submit
memory/1968-163-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1968-188-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1968-194-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1968-225-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1968-238-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1968-241-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1968-243-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3980-409-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/3980-419-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3980-408-0x00000000055A0000-0x0000000005BB8000-memory.dmp

Filesize
6.1MB

Download
memory/3980-431-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

Filesize
320KB

Download
memory/3980-410-0x0000000005090000-0x000000000519A000-memory.dmp

Filesize
1.0MB

Download
memory/3980-413-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3980-415-0x0000000006040000-0x000000000607C000-memory.dmp

Filesize
240KB

Download
memory/3980-407-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3980-421-0x0000000006370000-0x0000000006532000-memory.dmp

Filesize
1.8MB

Download
memory/3980-423-0x0000000006A70000-0x0000000006F9C000-memory.dmp

Filesize
5.2MB

Download
memory/3980-424-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/3980-426-0x0000000007550000-0x0000000007AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3980-427-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/3980-429-0x0000000006900000-0x0000000006976000-memory.dmp

Filesize
472KB

Download
memory/3980-430-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/5080-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download