redline | d3f7cb3de3822efc9adac2b898bae8078bdea2806b97a02260c5f10a47647460

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launchеr-pс.zip
Size

30.0MB
MD5

7814873eb175159cdecb6c6276737e2e
SHA1

ed4fa5112d9092b654c0bc4639ede789f2071636
SHA256

d3f7cb3de3822efc9adac2b898bae8078bdea2806b97a02260c5f10a47647460
SHA512

b02604c9311ed85923bc6d53ad1dd9ec6c93a8c4600986156042c9d7fbce5517a8d4157aa779450f1b8ed67fb75dd34a697eddec09ee25bb641d8d53db132aa9
SSDEEP

786432:u3/cI91oBjJm7QaC6v72bQgVR6uNliUqMAV7sDpE8l5:u3kIL1RCiq0gnpNCVItz

Score

10^/10

redline @miromistin0 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@miromistin0

94.142.138.4:80

Attributes

auth_value
2ee380277e944675703ad248459af8c3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2508-10-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 1 IoCs

pid	Process
1388	launcher-pc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 2508	1388	launcher-pc.exe	97

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	1388	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher-pc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	7zFM.exe
3636	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3636	7zFM.exe
2964	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3636	7zFM.exe
Token: 35	3636	7zFM.exe
Token: SeSecurityPrivilege	3636	7zFM.exe
Token: SeRestorePrivilege	2964	7zFM.exe
Token: 35	2964	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3636	7zFM.exe
3636	7zFM.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1388	3636	7zFM.exe	94
PID 3636 wrote to memory of 1388	3636	7zFM.exe	94
PID 3636 wrote to memory of 1388	3636	7zFM.exe	94
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97
PID 1388 wrote to memory of 2508	1388	launcher-pc.exe	97

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\launchеr-pс.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\7zO43E051A8\launcher-pc.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO43E051A8\launcher-pc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 568
    3⤵
    - Program crash
    PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1388 -ip 1388
1⤵
PID:1068

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO43E051A8\launcher-pc.exe

Filesize
2.5MB

MD5
d6d84868aa9df862b91ca343bea969d3

SHA1
974771cdd073aeb5f501124c8ba6f2c709b29365

SHA256
d3274357297a619559c42b2673d54b93424a175af986c5ce5840632e3ac91455

SHA512
3232ffaffe226d6b0189aa158c118ab8248635d5b257cf9409c51b463c50ddea722447d29900eb357b6395e4acdc944dadbd921eb417ea28162abe99c0d1647e

Download Submit
memory/1388-8-0x0000000000090000-0x0000000000300000-memory.dmp

Filesize
2.4MB

Download
memory/1388-15-0x0000000000090000-0x0000000000300000-memory.dmp

Filesize
2.4MB

Download
memory/2508-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2508-11-0x0000000002D30000-0x0000000002D36000-memory.dmp

Filesize
24KB

Download
memory/2508-12-0x00000000064D0000-0x0000000006AE8000-memory.dmp

Filesize
6.1MB

Download
memory/2508-13-0x00000000060F0000-0x00000000061FA000-memory.dmp

Filesize
1.0MB

Download
memory/2508-14-0x0000000005FE0000-0x0000000005FF2000-memory.dmp

Filesize
72KB

Download
memory/2508-16-0x0000000006240000-0x000000000627C000-memory.dmp

Filesize
240KB

Download
memory/2508-17-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

Filesize
304KB

Download