redline | 504aaf3fbd4d0aa32fe7deebd06533d6d1b673c02ad0dd334cc9b351afe1263a

Analysis

max time kernel
91s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2023 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ValorantExternal v3.4.1.exe
Size

978KB
MD5

c36eae4946702af2ff4896cc89f13823
SHA1

7b136099fa2e6ef706bb88d0ba7c69b4386705a1
SHA256

55b003f9fc3a0c8b538d04701cb2fb57441bdd24144b69f258eb1df7b74de79e
SHA512

308cdfe1fb9034f98bf5726608d427e6b3c25656eee5c4003ec0399ea022b88f40b87c4f4acff823f39278237457e93c93f439259212e5d4fd207c2b598292e9
SSDEEP

12288:me9LrhpIF+G5PMZ619CsajupXmzrgSyszQuUg4sEnduzzercMgO4WvN3NMoqd:p9fhpIwG5PMZ6pgQuUgUnOzU3NB

Score

10^/10

redline @wtflooool infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@wtflooool

94.142.138.4:80

Attributes

auth_value
73b07b01031cf6f2730ccdf9b9448a33

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 2636	5064	ValorantExternal v3.4.1.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	5064	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2636	AppLaunch.exe
2636	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2636	5064	ValorantExternal v3.4.1.exe	91
PID 5064 wrote to memory of 2636	5064	ValorantExternal v3.4.1.exe	91
PID 5064 wrote to memory of 2636	5064	ValorantExternal v3.4.1.exe	91
PID 5064 wrote to memory of 2636	5064	ValorantExternal v3.4.1.exe	91
PID 5064 wrote to memory of 2636	5064	ValorantExternal v3.4.1.exe	91

C:\Users\Admin\AppData\Local\Temp\ValorantExternal v3.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\ValorantExternal v3.4.1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 300
  2⤵
  - Program crash
  PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5064 -ip 5064
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-145-0x00000000059F0000-0x0000000005A2C000-memory.dmp

Filesize
240KB

Download
memory/2636-156-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2636-146-0x0000000005F70000-0x0000000005FE6000-memory.dmp

Filesize
472KB

Download
memory/2636-140-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2636-141-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2636-142-0x00000000063D0000-0x00000000069E8000-memory.dmp

Filesize
6.1MB

Download
memory/2636-143-0x0000000005AA0000-0x0000000005BAA000-memory.dmp

Filesize
1.0MB

Download
memory/2636-144-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/2636-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2636-154-0x000000000B890000-0x000000000BDBC000-memory.dmp

Filesize
5.2MB

Download
memory/2636-148-0x000000000A130000-0x000000000A6D4000-memory.dmp

Filesize
5.6MB

Download
memory/2636-147-0x0000000006090000-0x0000000006122000-memory.dmp

Filesize
584KB

Download
memory/2636-149-0x0000000009B80000-0x0000000009BE6000-memory.dmp

Filesize
408KB

Download
memory/2636-150-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2636-151-0x0000000007380000-0x00000000073D0000-memory.dmp

Filesize
320KB

Download
memory/2636-152-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2636-153-0x000000000B190000-0x000000000B352000-memory.dmp

Filesize
1.8MB

Download
memory/5064-134-0x0000000000670000-0x00000000007B1000-memory.dmp

Filesize
1.3MB

Download
memory/5064-133-0x0000000000670000-0x00000000007B1000-memory.dmp

Filesize
1.3MB

Download