redline | 6b937ac8b7f889100cf86a34f74ff2fbdba7b072822026ab275d2a5ee6b7b650

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DawnLand6.exe
Size

10.0MB
MD5

9fa3180810afbbb9f999e5239027fdec
SHA1

3c3610842d1bb832cf8a422714da529708a8e6ec
SHA256

6b937ac8b7f889100cf86a34f74ff2fbdba7b072822026ab275d2a5ee6b7b650
SHA512

04e411cd7114b0904576f33bcb02d876136a035fcbed5ec71728e426d0fbd37d8ee0896113036745bc452482771df918885b6b0e829c49b17bf46687bc9c47d8
SSDEEP

3072:hca9VP4bW3TRHuTMGidsptIGT31qrIf//3x5cJKy9g/kdLUVgKuOiyb:hxP44Huwc31qrw/fx5uRdLAgKu58

Score

10^/10

redline dawnland infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

DAwnLand

212.113.116.143:23052

Attributes

auth_value
8fc5b8d18171bebfcf117ba0aad639d2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 2720	1020	powershell.exe	35

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1020	powershell.exe
2720	AppLaunch.exe
2720	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2720	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2292	2368	DawnLand6.exe	29
PID 2368 wrote to memory of 2292	2368	DawnLand6.exe	29
PID 2368 wrote to memory of 2292	2368	DawnLand6.exe	29
PID 2368 wrote to memory of 2292	2368	DawnLand6.exe	29
PID 2292 wrote to memory of 1020	2292	cmd.exe	30
PID 2292 wrote to memory of 1020	2292	cmd.exe	30
PID 2292 wrote to memory of 1020	2292	cmd.exe	30
PID 2292 wrote to memory of 1020	2292	cmd.exe	30
PID 1020 wrote to memory of 892	1020	powershell.exe	31
PID 1020 wrote to memory of 892	1020	powershell.exe	31
PID 1020 wrote to memory of 892	1020	powershell.exe	31
PID 1020 wrote to memory of 892	1020	powershell.exe	31
PID 892 wrote to memory of 3008	892	csc.exe	32
PID 892 wrote to memory of 3008	892	csc.exe	32
PID 892 wrote to memory of 3008	892	csc.exe	32
PID 892 wrote to memory of 3008	892	csc.exe	32
PID 1020 wrote to memory of 2032	1020	powershell.exe	33
PID 1020 wrote to memory of 2032	1020	powershell.exe	33
PID 1020 wrote to memory of 2032	1020	powershell.exe	33
PID 1020 wrote to memory of 2032	1020	powershell.exe	33
PID 2032 wrote to memory of 2184	2032	csc.exe	34
PID 2032 wrote to memory of 2184	2032	csc.exe	34
PID 2032 wrote to memory of 2184	2032	csc.exe	34
PID 2032 wrote to memory of 2184	2032	csc.exe	34
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35
PID 1020 wrote to memory of 2720	1020	powershell.exe	35

C:\Users\Admin\AppData\Local\Temp\DawnLand6.exe
"C:\Users\Admin\AppData\Local\Temp\DawnLand6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command -
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command -
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\icise5du.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC42FA.tmp"
        5⤵
        
        PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\coe0giwo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A0D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A0C.tmp"
        5⤵
        
        PID:2184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES42FB.tmp

Filesize
1KB

MD5
fb50647587fa7b53d35753eddb07b88f

SHA1
f63bb4f064348af51f129192e94e35d0d297838a

SHA256
21128d2a4d75a668a8175c11f1b4145274ccf0d2260bee7940e901003cb97811

SHA512
3d97abdd75196a1e74f23d060493c0b297bb803c32aea93c685777e6b029033a26c259c1d016510bba54976527b5ec790818d783b744fb05063c8bf6f26f23cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A0D.tmp

Filesize
1KB

MD5
215789c7196fa775d59b334d6ae6a18a

SHA1
bc8e06f6f8ac545ff9a269e497c4e422d94eea49

SHA256
13911c9aa4dcfd6b791659a1a5be751105216f7624ae2896a686ef361ba89fb1

SHA512
65a5c73c027723b8225bc68f28d5ac8a123c1eb48c5fa0a4882cfe0d59cb83e0b30b2edfe9c172c0f6452e7218d9f3ef09437a46e24e10c2f3aef32a05054ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\coe0giwo.dll

Filesize
3KB

MD5
e5a1473eda2ff6b3d74cdba3c480a277

SHA1
ab1132b89e3e854cdb7df7483e052f2b79c53252

SHA256
9b00e61865e3fe5056cb2ea791e1a05823830d7430f98de9ef010a47bc4c0b69

SHA512
5d7a41f42799cdb367ea1e4a33c5fe22d58181e3a5fd8f0c1787dea7baaa162ba9d7c49a23d50616722973e6d6c8a5c8427af58612c51838adbb1dc77b91cc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\coe0giwo.pdb

Filesize
7KB

MD5
bf1613128f42834ff9be468097310531

SHA1
59c242597db3641c244893eb60878d028feab970

SHA256
312e231885d327a4557647517cc99589dc8e3ecae250f6a9d9041941f3171c5d

SHA512
6c4c6d883ff95e62969dbaa1b97e9743e771055a94e2c60b57a112c5f388a231b21c3e8af03b42e3a17ffcbce3738c1a8433628cd45bee614ec28e98dc593c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\icise5du.dll

Filesize
3KB

MD5
942b07f4446fcaba4af5d29bd1641eb1

SHA1
d7bfbba778a3e5ec3663a1db72539f5865584ab4

SHA256
8faaa10b00412d16d66169ef7b6658ed17e3ef25672f7fd03b1166d5dd8bd4a2

SHA512
7308ff1bdd63bc7898e284835e9dc12033ccaf088f875d230fb2d09978cfc2f056fbfbd361e44d15bb044a37d6ebb909ace4fb46a0f1de6b286af4a64589bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\icise5du.pdb

Filesize
7KB

MD5
d4857ed4f44fd33f484b2ea5416b4633

SHA1
6aae031712707247cfcc862351789362553c108d

SHA256
84470e2cd0c73ee904a398e1e6d44a638798331c367e3e056cfbb2f64d0ce46f

SHA512
99ea6b093e80fc10773e2e91ec45cdfbd604dc11d81dd887f24d9e111ade3928be587d13cd57462cb17ccdf403b8d5bd6b7280376da049525d22f3dc35ade4ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC42FA.tmp

Filesize
652B

MD5
65f14a03ba95366441b142b9521cd5e7

SHA1
e07c98555514d937474638d10659e02bf6b765af

SHA256
10533c00a0c295dba428bf7f972e34413547857bd740b60e9ec7a324bc5aad5f

SHA512
a1115d824d42b0bcf808d19409bfe5a2a6aaecb1ea3b80d6053ad8f168e0a6fc89ef79a5b66763923af2780f7bc65a3635de29e9393a34e6de9633008a077dd2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4A0C.tmp

Filesize
652B

MD5
80796b53d3ed9ecdfeeeabe62e94fa60

SHA1
3a65f54497ac35f4f8c5a4c646239410af35d02b

SHA256
88525915c6b47339af0521fcd8912533e55137fcdd45d2a4e31aa39e5957f77c

SHA512
7d9ea88eb55ac558083238543f9c191ae5030cd9f54c8f4eca18c216387b03915a37c1f81ff3874e1aae7c99d7e0136ac1dd2c3e6a478907c1939c10b5681911

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\coe0giwo.0.cs

Filesize
373B

MD5
81f2cd44c0cf05f5141da2857e6b0e72

SHA1
fd0c86cb0621b477b33ec750069d54433fe62d3e

SHA256
f64419c35813e37ea5833c9114b972924a1a4c873bb6e22369935cba9f1374c5

SHA512
d82ef733de8758b5e9c709cb32feb3cb4b1f0b6bba5af68c923f81886788b845805dfbb9fc74806b2e9356b0b490813e4183f37674e3dae272424e9d4996bdba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\coe0giwo.cmdline

Filesize
309B

MD5
4dd47700205acedc23de736ac08218b3

SHA1
ecbef7bbe33bfe3fdf753a6e7027ca1fa6d2f297

SHA256
598217472e5df220c6e6203413f2779b56b2867c91c5eb126b28dd8f92939b35

SHA512
ce3b1efb1532e7d249e68bb17f55567621c486d8a5333a45c9912eac0b0c5afbf7767675da723f01dddc75de08ab7547a2df7d8e7467ed9930d5c1cea8773aaa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\icise5du.0.cs

Filesize
446B

MD5
6222ceb9baf34d2ef373ff3b44ca20d4

SHA1
21497b445fb7b2d43a2c4c7f561bc6394ca15eae

SHA256
69b06d760168977beb426d9cc88b64f2244fd6e09e1a1a7b99b04bbad1aa45ed

SHA512
dbb8ed50c9fba26b9f5049ed72caad624a4f02a5bebd7790c9b89246df0a40a0532219ed9629a1756748e4d5dd2911170840c08c51f02dc346ad083e75bfcf3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\icise5du.cmdline

Filesize
309B

MD5
aafe3c8c2b11c8e8160f982b40136fd8

SHA1
b1202bfdfd72f93b087cb6ab07540802c961fb78

SHA256
38e432084acd00f23271f1331227b29a87fcd673ae4cbea73746640b35353a2c

SHA512
1283a276e3282945bf37b2828e2fd39ce0cc5168fe04025e9ac29ee85195d6b8206a6f4ed52f36be695265e17e5d01cfbeaccb5d7d0b764473f37b9e5c95ee28

Download Submit
memory/892-66-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1020-57-0x0000000002440000-0x0000000002480000-memory.dmp

Filesize
256KB

Download
memory/2368-99-0x0000000000400000-0x0000000000E45000-memory.dmp

Filesize
10.3MB

Download
memory/2368-56-0x0000000000400000-0x0000000000E45000-memory.dmp

Filesize
10.3MB

Download
memory/2720-89-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-93-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-92-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-94-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-98-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-96-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-91-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2720-100-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download