redline | 733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
13/11/2023, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe
Size

15.2MB
MD5

211097310dfd7c551035a38baae5f637
SHA1

e376bd625016637fc68ee4b22280c26edc6594d2
SHA256

733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436
SHA512

73316cb83ede1431c0759eb8c03ccead213ad9d1ac8e7fa3c80501475305e7e40e621efd27a97da83bd072bb70a7e9e7e9629953f8b1970abdf71c57e3f7aee9
SSDEEP

98304:7y7jL1CH2WLEf1Rpf5FREMjR5Tq7cSsmA:7uSMbRFyCR5OAxmA

Score

10^/10

redline @ytlogsbot infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/2104-6-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline
behavioral1/memory/2104-9-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline
behavioral1/memory/2104-12-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline
behavioral1/memory/2104-14-0x00000000073B0000-0x00000000073F0000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2104	jsc.exe
2104	jsc.exe
2104	jsc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	jsc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28
PID 1920 wrote to memory of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28
PID 1920 wrote to memory of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28
PID 1920 wrote to memory of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28
PID 1920 wrote to memory of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28
PID 1920 wrote to memory of 2104	1920	733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe	28

C:\Users\Admin\AppData\Local\Temp\733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe
"C:\Users\Admin\AppData\Local\Temp\733e2c2b9b6f626b4395f5b12a9920b5f6d0e59fb9b61e28c85c7476da942436.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-4-0x000000013F1E0000-0x000000013FB88000-memory.dmp

Filesize
9.7MB

Download
memory/1920-10-0x000000013F1E0000-0x000000013FB88000-memory.dmp

Filesize
9.7MB

Download
memory/2104-5-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/2104-6-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/2104-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-9-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/2104-12-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/2104-13-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-14-0x00000000073B0000-0x00000000073F0000-memory.dmp

Filesize
256KB

Download
memory/2104-15-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download