redline | 2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
22/07/2023, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b52e97ef9a8fd351fd878ebf36f8377.exe
Size

3.1MB
MD5

9b52e97ef9a8fd351fd878ebf36f8377
SHA1

8931188c8ae85bc39a0bb7bfe4249d6098533954
SHA256

2f94e4ce7f8ee0d584b776988ac0dd80df820f5a44d866271efce73c6ad84fc6
SHA512

a0e720287758aa3110512741bc4657e65cba46ec932d81a3bcb14d12cff50e78fed976ff351e1b47056eeb9690d0638ea5a0cc89bea826290e3ac391e496f767
SSDEEP

49152:HNR10gLk3Fw7aitvQpBymUlb9vHMQmdFbL64FXm:HNR95yByvlJlcFbBF

Score

10^/10

redline @ytlogsbot lux3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@ytlogsbot

176.123.9.85:16482

Attributes

auth_value
36b3ee30353ed1e6c1776af75fcfbc2c

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/2212-54-0x0000000000AC0000-0x0000000000DE7000-memory.dmp	family_redline
behavioral1/memory/2072-56-0x0000000000400000-0x0000000000592000-memory.dmp	family_redline
behavioral1/memory/2072-62-0x0000000000400000-0x0000000000592000-memory.dmp	family_redline
behavioral1/memory/2072-63-0x0000000000400000-0x0000000000592000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2336	@ytlogsbot.exe
2552	lux3.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	AppLaunch.exe
2072	AppLaunch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	2212	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2336	@ytlogsbot.exe
2336	@ytlogsbot.exe
2552	lux3.exe
2552	lux3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	@ytlogsbot.exe
Token: SeDebugPrivilege	2552	lux3.exe
Token: SeDebugPrivilege	2072	AppLaunch.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 2072	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	29
PID 2212 wrote to memory of 1892	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	30
PID 2212 wrote to memory of 1892	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	30
PID 2212 wrote to memory of 1892	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	30
PID 2212 wrote to memory of 1892	2212	9b52e97ef9a8fd351fd878ebf36f8377.exe	30
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2336	2072	AppLaunch.exe	31
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 2552	2072	AppLaunch.exe	32
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 2072 wrote to memory of 1132	2072	AppLaunch.exe	36
PID 1132 wrote to memory of 2016	1132	cmd.exe	38
PID 1132 wrote to memory of 2016	1132	cmd.exe	38
PID 1132 wrote to memory of 2016	1132	cmd.exe	38
PID 1132 wrote to memory of 2016	1132	cmd.exe	38
PID 1132 wrote to memory of 2016	1132	cmd.exe	38
PID 1132 wrote to memory of 2016	1132	cmd.exe	38
PID 1132 wrote to memory of 2016	1132	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\9b52e97ef9a8fd351fd878ebf36f8377.exe
"C:\Users\Admin\AppData\Local\Temp\9b52e97ef9a8fd351fd878ebf36f8377.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 36
  2⤵
  - Program crash
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
\Users\Admin\AppData\Roaming\configurationValue\@ytlogsbot.exe

Filesize
127KB

MD5
dc0d6257af6ac44eb10333a282b0f738

SHA1
a749e2c90b313174a91a6e51db6bc8e6dc00f37e

SHA256
f80103f2a3b19dc0e0b26e84e4f259b5e07226527c06b253ea441c98eeb98808

SHA512
3d264ab41521b858c285f80dd3cafabb3c80b1ae0fcff901a5bdadf81b3aed075c164c4d908cee0a0ace700b755e4f04f4dc1715e6009008975bd90c5b7d3b23

Download Submit
\Users\Admin\AppData\Roaming\configurationValue\lux3.exe

Filesize
168KB

MD5
936cb3023cd500e07e9ad5dda9996c3f

SHA1
5772bd98e8da65cb1339e45074b0a6eaf07219a6

SHA256
7c533374288bae24f70e51c9b70c372e9d91fea2c51ce84903f47ea769fba83f

SHA512
38054bc192025b0c46ad5ba75c9ba869602fc782e7abfffb6a14cf18b3b3f4b7e93f9bcb48c253a888f5c758fdfcd85a40ab9e77153ec8bf496e00c13a32cd8b

Download Submit
memory/2072-87-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-55-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2072-64-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-63-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2072-93-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-88-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2072-65-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2072-62-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2072-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-56-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2212-54-0x0000000000AC0000-0x0000000000DE7000-memory.dmp

Filesize
3.2MB

Download
memory/2336-79-0x0000000000300000-0x0000000000326000-memory.dmp

Filesize
152KB

Download
memory/2336-85-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/2336-89-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-82-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-91-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-84-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2552-86-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2552-83-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-90-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-92-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-81-0x00000000011F0000-0x0000000001220000-memory.dmp

Filesize
192KB

Download