redline | ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016

General

Target

JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe
Size

704.3MB
MD5

d6517c831fd06883d9b8cc4842b47358
SHA1

46e964b14908b361bafe3d50fb7216ab83db3b68
SHA256

ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016
SHA512

96408c4d94e90a3279ce36c85e0f5ea29458e3df2ae480632fd0d74e457a642034a1ea5ee69b94fe1f10fbb789b75b845063a5ae73c04c3d6cd7b8868499931f
SSDEEP

3072:JOreOMJ7QyReGBa+ty6FaTfYzHTlXCP2xYmwyLfsHM8Cxsh:JOreOvyReKFaTfYPlk2phLwCxs

Score

10^/10

redline 1086881322_99 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

1086881322_99

C2

screenglasses.xyz:3306

screenglasses.xyz:28786

Attributes

auth_value
c7b4b3ad5c912786e8dea8b34a307b0d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2064-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2064-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2064-3-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2164	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2064	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	31
PID 2164 wrote to memory of 2736	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	32
PID 2164 wrote to memory of 2736	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	32
PID 2164 wrote to memory of 2736	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	32
PID 2164 wrote to memory of 2736	2164	JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ccda23f4b2650b4b3a179d8e9998db0975161dbcdb752295379e447ca8c0c016.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 52
  2⤵
  - Program crash
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2064-1-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2064-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2064-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2064-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2064-57-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2064-58-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2164-0-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing