redline | 6b937ac8b7f889100cf86a34f74ff2fbdba7b072822026ab275d2a5ee6b7b650

Analysis

max time kernel
139s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DawnLand6.exe
Size

10.0MB
MD5

9fa3180810afbbb9f999e5239027fdec
SHA1

3c3610842d1bb832cf8a422714da529708a8e6ec
SHA256

6b937ac8b7f889100cf86a34f74ff2fbdba7b072822026ab275d2a5ee6b7b650
SHA512

04e411cd7114b0904576f33bcb02d876136a035fcbed5ec71728e426d0fbd37d8ee0896113036745bc452482771df918885b6b0e829c49b17bf46687bc9c47d8
SSDEEP

3072:hca9VP4bW3TRHuTMGidsptIGT31qrIf//3x5cJKy9g/kdLUVgKuOiyb:hxP44Huwc31qrw/fx5uRdLAgKu58

Score

10^/10

redline dawnland infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

DAwnLand

212.113.116.143:23052

Attributes

auth_value
8fc5b8d18171bebfcf117ba0aad639d2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 4588	4120	powershell.exe	94

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4120	powershell.exe
4120	powershell.exe
4588	AppLaunch.exe
4588	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4588	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 1416	3276	DawnLand6.exe	85
PID 3276 wrote to memory of 1416	3276	DawnLand6.exe	85
PID 3276 wrote to memory of 1416	3276	DawnLand6.exe	85
PID 1416 wrote to memory of 4120	1416	cmd.exe	86
PID 1416 wrote to memory of 4120	1416	cmd.exe	86
PID 1416 wrote to memory of 4120	1416	cmd.exe	86
PID 4120 wrote to memory of 3844	4120	powershell.exe	90
PID 4120 wrote to memory of 3844	4120	powershell.exe	90
PID 4120 wrote to memory of 3844	4120	powershell.exe	90
PID 3844 wrote to memory of 2496	3844	csc.exe	91
PID 3844 wrote to memory of 2496	3844	csc.exe	91
PID 3844 wrote to memory of 2496	3844	csc.exe	91
PID 4120 wrote to memory of 3112	4120	powershell.exe	92
PID 4120 wrote to memory of 3112	4120	powershell.exe	92
PID 4120 wrote to memory of 3112	4120	powershell.exe	92
PID 3112 wrote to memory of 3268	3112	csc.exe	93
PID 3112 wrote to memory of 3268	3112	csc.exe	93
PID 3112 wrote to memory of 3268	3112	csc.exe	93
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94
PID 4120 wrote to memory of 4588	4120	powershell.exe	94

C:\Users\Admin\AppData\Local\Temp\DawnLand6.exe
"C:\Users\Admin\AppData\Local\Temp\DawnLand6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command -
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -Command -
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zd5x1kb4\zd5x1kb4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp" "c:\Users\Admin\AppData\Local\Temp\zd5x1kb4\CSCDCF8CBE12B614613B8085DB55CB999.TMP"
        5⤵
        
        PID:2496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z1bluz10\z1bluz10.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD244.tmp" "c:\Users\Admin\AppData\Local\Temp\z1bluz10\CSC3F1E16B1D51A4CDA8FF702AF3C49CC4.TMP"
        5⤵
        
        PID:3268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp

Filesize
1KB

MD5
0f85361a45d6f5b0c4ad7ba50a53cd7d

SHA1
bb1117eb66765650d62edc1f155e5b358b7e34bd

SHA256
0808457dff815e38403a4540bcc7b8fbe98b5b68b96b5945c79ac1e4eb3c786f

SHA512
213e11b886442c5897e98bd692f3565e0ed645456aa92ee96c7734ff73f4312d1c0eae7dc28e4c799630681ec10b071447f14f40b308e8536c3e6a03c55993e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD244.tmp

Filesize
1KB

MD5
ad565d10f50509c38cc4cebd2e133b0a

SHA1
e154e5aff66444f32cdaeaa5711f81b8a8311100

SHA256
bfbb1cfe794a40ac9e77b18073c1147d44264185631431b9d09b685d9e2ad509

SHA512
9e80899eb99c8d1ede9f71a9d1f6df747f29f434688df3635b98520b676967170dbfa40df1d06b2b8f9405a29d87a233e6962e6311e778c30eac6b23ec8fd770

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3y2xljp.a4l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\z1bluz10\z1bluz10.dll

Filesize
3KB

MD5
73d9897dfc0d90f54d440526b16c4b67

SHA1
55c4e3bec1168e185f8c0ff39f74fd634fcba79f

SHA256
7b501a53393d277463a319154ac4fd25e3a2ff91d26828ffb64940244992a6f8

SHA512
26cb002a67c58f6b68a318cfc1a430ff6a32fc8f44a8dd2957f1350f9eb3b8f89c09642dc3634d62320ec8c35e90a2c55186bc2cf250c2d09141e48b462dacbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zd5x1kb4\zd5x1kb4.dll

Filesize
3KB

MD5
439037c0f8a6e208bdb2c9136283db5d

SHA1
92c683c91a0791a9c4c2e399855a61fe79d9750b

SHA256
08cc3e67701f3497831755377118ca1098899cfdf4d1939bd3f060904d3c8213

SHA512
337feffb2b0b80c99124180d4b7f95069dc813d17fbda73e9828a67f6bc42088d22dd22289b7087da7c5ddc7ebc49fbdfc6a254894cd3861ba94f80da4e4786b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1bluz10\CSC3F1E16B1D51A4CDA8FF702AF3C49CC4.TMP

Filesize
652B

MD5
996e44fa9cb1334cae4e622918d86d31

SHA1
edfa5b2a7d1d53d64447adbad5c7ae0d64f678a5

SHA256
b6cc21605ee632c6fe7d77b7e2cf5e03475c5c75eb62bfc16cc36c15841c1084

SHA512
58679c2880b7318b14f4bdd6e68beb3587ea566e5b8c97398c7d17a174e7af6bb6c2e644d791aef805a8ff1f258c51620300acd6f29f8d628242b84e0d7cf3e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1bluz10\z1bluz10.0.cs

Filesize
373B

MD5
81f2cd44c0cf05f5141da2857e6b0e72

SHA1
fd0c86cb0621b477b33ec750069d54433fe62d3e

SHA256
f64419c35813e37ea5833c9114b972924a1a4c873bb6e22369935cba9f1374c5

SHA512
d82ef733de8758b5e9c709cb32feb3cb4b1f0b6bba5af68c923f81886788b845805dfbb9fc74806b2e9356b0b490813e4183f37674e3dae272424e9d4996bdba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z1bluz10\z1bluz10.cmdline

Filesize
369B

MD5
4092d663c5a44bab2f6792268d8e19a0

SHA1
c7677ccc853909f96f496ea19affb1960e29ae4a

SHA256
cc02c6fa42e4c724820154732c1757d7011d0a349da160560fee7ad24eda54f0

SHA512
00615ddc4ed88e61b8a7c6c2e2a27422db87dc8304c6a1cd6dbe632b9323b6636f01217816b23ca4b5d2ace26a9cf6dbfbf97a42326b59d97acb0c8b0dfbe5a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zd5x1kb4\CSCDCF8CBE12B614613B8085DB55CB999.TMP

Filesize
652B

MD5
e39577e3ae130e8d5b1b606a1481c437

SHA1
039d050b4e4c1390d81e558d150d7af6c4ae3c14

SHA256
c93a48825df82c143bb92092ff508fb652e1a982240b63277e56b9871c5678e3

SHA512
7ed23b6633ad9f9a3c3cab0a8fe039feceaa84bb1a353f79d8ab667fb6b5cc2ea7406f58674cf0e7131f2a5be85fd6d77281a012b2dac257fd42348b2576d678

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zd5x1kb4\zd5x1kb4.0.cs

Filesize
446B

MD5
6222ceb9baf34d2ef373ff3b44ca20d4

SHA1
21497b445fb7b2d43a2c4c7f561bc6394ca15eae

SHA256
69b06d760168977beb426d9cc88b64f2244fd6e09e1a1a7b99b04bbad1aa45ed

SHA512
dbb8ed50c9fba26b9f5049ed72caad624a4f02a5bebd7790c9b89246df0a40a0532219ed9629a1756748e4d5dd2911170840c08c51f02dc346ad083e75bfcf3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zd5x1kb4\zd5x1kb4.cmdline

Filesize
369B

MD5
02d28fd22a2caff61ff6c252ce052555

SHA1
62e96510492c2e43a886eba910220b8806cb3bd8

SHA256
9ee7f1a6084c9d642d2345cf0c1ed259d047831755e2ba1aea869726789f39ee

SHA512
a70eeb31af4a2e45b7ce3222c7136ac893a2fbc9dd584fcabb83056eb68258347ee82088c56a25e53cb893ddd72c9aaebd0a9a988cb00373f900a2102a18df84

Download Submit
memory/3276-185-0x0000000000400000-0x0000000000E45000-memory.dmp

Filesize
10.3MB

Download
memory/3276-134-0x0000000000400000-0x0000000000E45000-memory.dmp

Filesize
10.3MB

Download
memory/3276-194-0x0000000000400000-0x0000000000E45000-memory.dmp

Filesize
10.3MB

Download
memory/4120-151-0x0000000006600000-0x0000000006644000-memory.dmp

Filesize
272KB

Download
memory/4120-186-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4120-157-0x0000000007550000-0x0000000007572000-memory.dmp

Filesize
136KB

Download
memory/4120-158-0x00000000086B0000-0x0000000008C54000-memory.dmp

Filesize
5.6MB

Download
memory/4120-155-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4120-154-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/4120-153-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/4120-152-0x0000000007160000-0x00000000071D6000-memory.dmp

Filesize
472KB

Download
memory/4120-150-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/4120-149-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4120-144-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4120-138-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/4120-137-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4120-136-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/4120-135-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/4120-156-0x00000000075B0000-0x0000000007646000-memory.dmp

Filesize
600KB

Download
memory/4120-187-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/4120-133-0x0000000002770000-0x00000000027A6000-memory.dmp

Filesize
216KB

Download
memory/4588-191-0x0000000005D50000-0x0000000006368000-memory.dmp

Filesize
6.1MB

Download
memory/4588-192-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/4588-193-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/4588-188-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4588-195-0x0000000005800000-0x000000000583C000-memory.dmp

Filesize
240KB

Download
memory/4588-196-0x0000000005B60000-0x0000000005B70000-memory.dmp

Filesize
64KB

Download
memory/4588-197-0x0000000006710000-0x00000000067A2000-memory.dmp

Filesize
584KB

Download
memory/4588-198-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/4588-199-0x0000000007460000-0x00000000074B0000-memory.dmp

Filesize
320KB

Download
memory/4588-200-0x0000000007680000-0x0000000007842000-memory.dmp

Filesize
1.8MB

Download
memory/4588-201-0x00000000082F0000-0x000000000881C000-memory.dmp

Filesize
5.2MB

Download