redline | 374e047720cd4a08c72dd381e939b27d8915c09f7a09b6a37459e6ffea49938a

Analysis

max time kernel
134s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoltChecker(Forntite Checker)/BoltCheckerV2.exe
Size

17.5MB
MD5

a650737d924ff2fd21478e4529bb1b08
SHA1

b4c0b3df300104544e9a1d659e286b0de5650eff
SHA256

50b5014765d80e10215e4a33df9f6b62cf174503437d7fb1e8efc2f9197b69e1
SHA512

2c755955e15a3ab3e1d15e06c03ad4157dfbe1bb11fa601499e94a798289b1e66b345753f2d305cb5c2e0abb61bbd6efa8937f66003302fc026ed851f6cfa842
SSDEEP

393216:JQ782hu7O7vz/61OJLJYU/VmxsYUQll9QyhslLmi4mpNz:+78Mxzz/6UJYwV9YUQlALmQvz

Score

10^/10

redline nou discovery infostealer pyinstaller

Malware Config

Extracted

Family

redline

Botnet

NOu

135.236.153.9:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012118-2.dat	family_redline
behavioral1/memory/2192-10-0x0000000001020000-0x0000000001072000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2192	build (4).exe
2804	boltchecker (1).exe
616	boltchecker (1).exe

Loads dropped DLL 10 IoCs

pid	Process
764	BoltCheckerV2.exe
764	BoltCheckerV2.exe
2804	boltchecker (1).exe
616	boltchecker (1).exe
616	boltchecker (1).exe
616	boltchecker (1).exe
616	boltchecker (1).exe
616	boltchecker (1).exe
616	boltchecker (1).exe
616	boltchecker (1).exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000001dc4d-13.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoltCheckerV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build (4).exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2192	764	BoltCheckerV2.exe	30
PID 764 wrote to memory of 2192	764	BoltCheckerV2.exe	30
PID 764 wrote to memory of 2192	764	BoltCheckerV2.exe	30
PID 764 wrote to memory of 2192	764	BoltCheckerV2.exe	30
PID 764 wrote to memory of 2804	764	BoltCheckerV2.exe	31
PID 764 wrote to memory of 2804	764	BoltCheckerV2.exe	31
PID 764 wrote to memory of 2804	764	BoltCheckerV2.exe	31
PID 764 wrote to memory of 2804	764	BoltCheckerV2.exe	31
PID 2804 wrote to memory of 616	2804	boltchecker (1).exe	33
PID 2804 wrote to memory of 616	2804	boltchecker (1).exe	33
PID 2804 wrote to memory of 616	2804	boltchecker (1).exe	33

C:\Users\Admin\AppData\Local\Temp\BoltChecker(Forntite Checker)\BoltCheckerV2.exe
"C:\Users\Admin\AppData\Local\Temp\BoltChecker(Forntite Checker)\BoltCheckerV2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\build (4).exe
  "C:\Users\Admin\AppData\Local\Temp\build (4).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\boltchecker (1).exe
  "C:\Users\Admin\AppData\Local\Temp\boltchecker (1).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\boltchecker (1).exe
    "C:\Users\Admin\AppData\Local\Temp\boltchecker (1).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28042\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\boltchecker (1).exe

Filesize
17.2MB

MD5
e94bad7ed8b8a749fcf0a6288f819a72

SHA1
a005a49208d0986fd56f050f21479256014a95ea

SHA256
6627a3868c3b9b01c68297da1234e6d9c52dadd756b5c20dd6b965fdf337c16c

SHA512
5ff430a4096afb0b7f511b6ab7818bdeaaad2ec2afd8f4f6739d0552dcc7c83de8a508c617130176f9624599d6ab83a4f29d0a73deac181e5db04afa155d943b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28042\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28042\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\build (4).exe

Filesize
300KB

MD5
79facd71cdf8744babe699eb633ee749

SHA1
985abf9a05fdd5ee477d61d56278332947150b75

SHA256
21d14de29ee8965a01a805ae72051b4039de6697f20fe85bd61d878a425cf22d

SHA512
453f6a66f8fc99a08cca69f5c3fe392b36510ce8e700a5b568f9cd03f785d4d674a00525142dc698baf9a182cb58848f126273554ecee71416c0ee5b8b714222

Download Submit
memory/2192-618-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/2192-10-0x0000000001020000-0x0000000001072000-memory.dmp

Filesize
328KB

Download
memory/2192-7-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/2192-2035-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/2192-2036-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download