redline | a4a57464834be9fcea74d15fe5712dcf86e7c673d82706cdf8cfbc5aa9fea17f

Resubmissions

25/06/2024, 12:01

240625-n62aja1gmj 10

25/06/2024, 11:59

240625-n54n9s1frr 10

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OBS-Studio-30.1.2-Full-Installer-x64.exe
Size

128.3MB
MD5

bce9a48d09577df4232002803be8b7e7
SHA1

89651d5a375fbe6c0b03e03d7bbd62dac314e2f2
SHA256

a4a57464834be9fcea74d15fe5712dcf86e7c673d82706cdf8cfbc5aa9fea17f
SHA512

1d31e7b8a356db0d48f614b2f17ad760a9e4a0cd1e358613c328bf5a66c45094618ee520f5d2b1cfce9d5eeb5bd52b95bbe31a1390ead30c699c4cdf1a1084d9
SSDEEP

3145728:AxJfr5z+wXxayKEFtlKvbA7Nj3bfmSRcgQ/zjpcazd7jpk:UfVzHFt0U7NTD+ljpcaRZ

Score

10^/10

redline xxx infostealer

Malware Config

Extracted

Family

redline

Botnet

xXx

185.236.228.125:15140

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4916-118-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	OBS-Studio-30.1.2-Full-Installer-x64.exe

Executes dropped EXE 2 IoCs

pid	Process
3288	OBS-Studio-30.1.2-Full-Installer-x64.exe
3580	obstudio.exe

Loads dropped DLL 2 IoCs

pid	Process
3288	OBS-Studio-30.1.2-Full-Installer-x64.exe
3288	OBS-Studio-30.1.2-Full-Installer-x64.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023403-18.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3580 set thread context of 4916	3580	obstudio.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3580	obstudio.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3580	obstudio.exe
3580	obstudio.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3580	obstudio.exe
3580	obstudio.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 6124 wrote to memory of 3288	6124	OBS-Studio-30.1.2-Full-Installer-x64.exe	81
PID 6124 wrote to memory of 3288	6124	OBS-Studio-30.1.2-Full-Installer-x64.exe	81
PID 6124 wrote to memory of 3288	6124	OBS-Studio-30.1.2-Full-Installer-x64.exe	81
PID 6124 wrote to memory of 3580	6124	OBS-Studio-30.1.2-Full-Installer-x64.exe	84
PID 6124 wrote to memory of 3580	6124	OBS-Studio-30.1.2-Full-Installer-x64.exe	84
PID 6124 wrote to memory of 3580	6124	OBS-Studio-30.1.2-Full-Installer-x64.exe	84
PID 3580 wrote to memory of 4916	3580	obstudio.exe	86
PID 3580 wrote to memory of 4916	3580	obstudio.exe	86
PID 3580 wrote to memory of 4916	3580	obstudio.exe	86
PID 3580 wrote to memory of 4916	3580	obstudio.exe	86

C:\Users\Admin\AppData\Local\Temp\OBS-Studio-30.1.2-Full-Installer-x64.exe
"C:\Users\Admin\AppData\Local\Temp\OBS-Studio-30.1.2-Full-Installer-x64.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Users\Admin\AppData\Roaming\OBS-Studio-30.1.2-Full-Installer-x64.exe
  "C:\Users\Admin\AppData\Roaming\OBS-Studio-30.1.2-Full-Installer-x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3288
- C:\Users\Admin\AppData\Roaming\obstudio.exe
  "C:\Users\Admin\AppData\Roaming\obstudio.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Roaming\obstudio.exe"
    3⤵
    PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq615C.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq615C.tmp\ioSpecial.ini

Filesize
1KB

MD5
5b7263339e43072ae2f2c54643861a45

SHA1
c44cc76b51c2f2dbba2835a79765136863e3d77d

SHA256
122e95e00a5e1b82fa8bcd217a1be422ba4113a0a9aa6b161bde06ff11b965ed

SHA512
0ac9e1cb1086e556abc5d3f603b85998918e8bfc4109b1b44abc96b64609338cb58b2b52f04b0c7db5386599bbf224d3608753c7c912012270b8a954bc306ece

Download Submit
C:\Users\Admin\AppData\Roaming\obstudio.exe

Filesize
1.1MB

MD5
46ab0cc1ea09e53e3239f1c520be7e63

SHA1
f7e2cd72077c4c743539a666ff5c358419eac21a

SHA256
52ff4c3befd8b1a1eec11b92f94d03f29bef0f86f733edc6f1d79388b04017a1

SHA512
63de10d2bce14a609e7cbb6827c02a5f10095b9e1f30379ab2f721a163017c05f78a5886bf553ddd2e8df5b35895ab631099ffac9d05ec96a9ac67c9ed538ac4

Download Submit
memory/4916-123-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/4916-118-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4916-119-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/4916-120-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/4916-121-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/4916-122-0x0000000006630000-0x0000000006C48000-memory.dmp

Filesize
6.1MB

Download
memory/4916-124-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/4916-125-0x0000000005850000-0x000000000588C000-memory.dmp

Filesize
240KB

Download
memory/4916-126-0x00000000059D0000-0x0000000005A1C000-memory.dmp

Filesize
304KB

Download
memory/6124-25-0x00007FFA03790000-0x00007FFA04251000-memory.dmp

Filesize
10.8MB

Download
memory/6124-2-0x00007FFA03790000-0x00007FFA04251000-memory.dmp

Filesize
10.8MB

Download
memory/6124-1-0x00000000004A0000-0x00000000014A0000-memory.dmp

Filesize
16.0MB

Download
memory/6124-0-0x00007FFA03793000-0x00007FFA03795000-memory.dmp

Filesize
8KB

Download