redline | a4a57464834be9fcea74d15fe5712dcf86e7c673d82706cdf8cfbc5aa9fea17f

General

Target

OBS-Studio-30.1.2-Full-Installer-x64.exe
Size

128.3MB
MD5

bce9a48d09577df4232002803be8b7e7
SHA1

89651d5a375fbe6c0b03e03d7bbd62dac314e2f2
SHA256

a4a57464834be9fcea74d15fe5712dcf86e7c673d82706cdf8cfbc5aa9fea17f
SHA512

1d31e7b8a356db0d48f614b2f17ad760a9e4a0cd1e358613c328bf5a66c45094618ee520f5d2b1cfce9d5eeb5bd52b95bbe31a1390ead30c699c4cdf1a1084d9
SSDEEP

3145728:AxJfr5z+wXxayKEFtlKvbA7Nj3bfmSRcgQ/zjpcazd7jpk:UfVzHFt0U7NTD+ljpcaRZ

Score

10^/10

redline xxx infostealer

Malware Config

Extracted

Family

redline

Botnet

xXx

C2

185.236.228.125:15140

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/2672-109-0x0000000000090000-0x00000000000E0000-memory.dmp	family_redline
behavioral1/memory/2672-117-0x0000000000090000-0x00000000000E0000-memory.dmp	family_redline
behavioral1/memory/2672-114-0x0000000000090000-0x00000000000E0000-memory.dmp	family_redline
behavioral1/memory/2672-110-0x0000000000090000-0x00000000000E0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2944	OBS-Studio-30.1.2-Full-Installer-x64.exe
2516	obstudio.exe

Loads dropped DLL 3 IoCs

pid	Process
2944	OBS-Studio-30.1.2-Full-Installer-x64.exe
2944	OBS-Studio-30.1.2-Full-Installer-x64.exe
2944	OBS-Studio-30.1.2-Full-Installer-x64.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0034000000016cc9-12.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 2672	2516	obstudio.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2516	obstudio.exe
2516	obstudio.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2516	obstudio.exe
2516	obstudio.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2516	obstudio.exe
2516	obstudio.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2944	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	28
PID 1040 wrote to memory of 2516	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	29
PID 1040 wrote to memory of 2516	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	29
PID 1040 wrote to memory of 2516	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	29
PID 1040 wrote to memory of 2516	1040	OBS-Studio-30.1.2-Full-Installer-x64.exe	29
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30
PID 2516 wrote to memory of 2672	2516	obstudio.exe	30

C:\Users\Admin\AppData\Local\Temp\OBS-Studio-30.1.2-Full-Installer-x64.exe
"C:\Users\Admin\AppData\Local\Temp\OBS-Studio-30.1.2-Full-Installer-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Roaming\OBS-Studio-30.1.2-Full-Installer-x64.exe
  "C:\Users\Admin\AppData\Roaming\OBS-Studio-30.1.2-Full-Installer-x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2944
- C:\Users\Admin\AppData\Roaming\obstudio.exe
  "C:\Users\Admin\AppData\Roaming\obstudio.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Roaming\obstudio.exe"
    3⤵
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst36DB.tmp\ioSpecial.ini

Filesize
1KB

MD5
d3d0c39ec78d8c5e6eed2b1be77a01e4

SHA1
b0924538310ed82ace33388d6399d4caeb0dd3b1

SHA256
d7f4698a843a642a18bfb1139b0935d3fefe87a1333b02806eef53995ab90eae

SHA512
40e4cc55f3ceed2ec99dde5018d15b0ceee38964c086107baa0f9df15668b7acd85330bbf54867900ef82df315619ab01929249edc5544145c1d08ea219b3b23

Download Submit
C:\Users\Admin\AppData\Roaming\obstudio.exe

Filesize
1.1MB

MD5
46ab0cc1ea09e53e3239f1c520be7e63

SHA1
f7e2cd72077c4c743539a666ff5c358419eac21a

SHA256
52ff4c3befd8b1a1eec11b92f94d03f29bef0f86f733edc6f1d79388b04017a1

SHA512
63de10d2bce14a609e7cbb6827c02a5f10095b9e1f30379ab2f721a163017c05f78a5886bf553ddd2e8df5b35895ab631099ffac9d05ec96a9ac67c9ed538ac4

Download Submit
\Users\Admin\AppData\Local\Temp\nst36DB.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
\Users\Admin\AppData\Local\Temp\nst36DB.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
memory/1040-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/1040-1-0x0000000000950000-0x0000000001950000-memory.dmp

Filesize
16.0MB

Download
memory/1040-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1040-25-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2672-109-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download
memory/2672-117-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download
memory/2672-114-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download
memory/2672-110-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download

Resubmissions

Analysis

Sharing