Overview
overview
10Static
static
3D3dx9.dll
windows7-x64
D3dx9.dll
windows10-2004-x64
1Launcher.exe
windows7-x64
7Launcher.exe
windows10-2004-x64
10conf/remar...nt.dll
windows7-x64
1conf/remar...nt.dll
windows10-2004-x64
1conf/remar...L3.dll
windows7-x64
1conf/remar...L3.dll
windows10-2004-x64
1conf/remar...-5.dll
windows7-x64
1conf/remar...-5.dll
windows10-2004-x64
1conf/remar...ze.dll
windows7-x64
1conf/remar...ze.dll
windows10-2004-x64
3conf/remar...m2.dll
windows7-x64
1conf/remar...m2.dll
windows10-2004-x64
1conf/remar...em.dll
windows7-x64
1conf/remar...em.dll
windows10-2004-x64
1conf/remar...em.dll
windows7-x64
1conf/remar...em.dll
windows10-2004-x64
1conf/remar...em.dll
windows7-x64
1conf/remar...em.dll
windows10-2004-x64
1conf/remar...ib.dll
windows7-x64
1conf/remar...ib.dll
windows10-2004-x64
1conf/remar...go.dll
windows7-x64
1conf/remar...go.dll
windows10-2004-x64
1conf/remar...n4.dll
windows7-x64
1conf/remar...n4.dll
windows10-2004-x64
1conf/remar...or.dll
windows7-x64
1conf/remar...or.dll
windows10-2004-x64
1conf/remar...em.dll
windows7-x64
1conf/remar...em.dll
windows10-2004-x64
1conf/remar...ty.dll
windows7-x64
1conf/remar...ty.dll
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
D3dx9.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
D3dx9.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Launcher.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Launcher.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
conf/remarksGhessWedelns/quinateTelangTawa/Qt5Concurrent.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
conf/remarksGhessWedelns/quinateTelangTawa/Qt5Concurrent.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
conf/remarksGhessWedelns/quinateTelangTawa/SDL3.dll
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
conf/remarksGhessWedelns/quinateTelangTawa/SDL3.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
conf/remarksGhessWedelns/quinateTelangTawa/libswscale-5.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
conf/remarksGhessWedelns/quinateTelangTawa/libswscale-5.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
conf/remarksGhessWedelns/quinateTelangTawa/localize.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
conf/remarksGhessWedelns/quinateTelangTawa/localize.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
conf/remarksGhessWedelns/quinateTelangTawa/materialsystem2.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
conf/remarksGhessWedelns/quinateTelangTawa/materialsystem2.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
conf/remarksGhessWedelns/quinateTelangTawa/meshsystem.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
conf/remarksGhessWedelns/quinateTelangTawa/meshsystem.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
conf/remarksGhessWedelns/quinateTelangTawa/navsystem.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
conf/remarksGhessWedelns/quinateTelangTawa/navsystem.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
conf/remarksGhessWedelns/quinateTelangTawa/networksystem.dll
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
conf/remarksGhessWedelns/quinateTelangTawa/networksystem.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
conf/remarksGhessWedelns/quinateTelangTawa/p4lib.dll
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
conf/remarksGhessWedelns/quinateTelangTawa/p4lib.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
conf/remarksGhessWedelns/quinateTelangTawa/panorama_text_pango.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
conf/remarksGhessWedelns/quinateTelangTawa/panorama_text_pango.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
conf/remarksGhessWedelns/quinateTelangTawa/phonon4.dll
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
conf/remarksGhessWedelns/quinateTelangTawa/phonon4.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
conf/remarksGhessWedelns/quinateTelangTawa/propertyeditor.dll
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
conf/remarksGhessWedelns/quinateTelangTawa/propertyeditor.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
conf/remarksGhessWedelns/quinateTelangTawa/pulse_system.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
conf/remarksGhessWedelns/quinateTelangTawa/pulse_system.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
conf/remarksGhessWedelns/quinateTelangTawa/rendersystemempty.dll
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
conf/remarksGhessWedelns/quinateTelangTawa/rendersystemempty.dll
Resource
win10v2004-20240709-en
General
-
Target
Launcher.exe
-
Size
562KB
-
MD5
a124c92118ef2a46667aaff0de615ffa
-
SHA1
ad8d41ef91842ce2ed55eb811d60adc756679dbf
-
SHA256
b4311abc72d0698ce78000c6cffd9d50cc5c7560bcb0e468c4d7e88b71e2c3f6
-
SHA512
cf05d0df75082d2cf9ca87fb5bf5774ddbb7dd5942b2f053741c16acc908062e144aeb138eab75b7452f42fff5db7533d297b597af6845f1d3535beb0d64844f
-
SSDEEP
12288:kesJrhOPIvA36E2jk0HI8pJP7/iZ+uASm/oajjKw6PThxlNTz30RheI/5d+ZQKZD:VAhOIA36joSq
Malware Config
Extracted
redline
665841
5.42.92.213:46419
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2052-8-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
Processes:
Launcher.exepid process 2784 Launcher.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Launcher.exedescription pid process target process PID 2784 set thread context of 2052 2784 Launcher.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Launcher.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
MSBuild.exepid process 2052 MSBuild.exe 2052 MSBuild.exe 2052 MSBuild.exe 2052 MSBuild.exe 2052 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2052 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Launcher.exedescription pid process target process PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe PID 2784 wrote to memory of 2052 2784 Launcher.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471KB
MD5d1722674d5d1bca30830b45fdc233dab
SHA17b18538ff795457974942d30fe7ef2a65985487f
SHA25618bb8a4274934707d306e19c17fabebcfe0fc48ff6d6949f6fbf65da17f56d5d
SHA51227a3fea95f752a4aa3ac6e22047e4ab7617cde72083634931ad2286f686c382b5f0de7f8785adc3517d3bfe734dd36c94d7ca4176f8fd2302e459450aaa347e6