redline | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
54s
max time network
70s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17/01/2025, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

redline stealc voov3 discovery infostealer stealer

Malware Config

Extracted

Family

stealc

Botnet

Voov3

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3532-25-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4656	vorpgkadeg.exe
4204	cock.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
7	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4204 set thread context of 3532	4204	cock.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vorpgkadeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	4363463463464363463463463.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4656	1096	4363463463464363463463463.exe	81
PID 1096 wrote to memory of 4656	1096	4363463463464363463463463.exe	81
PID 1096 wrote to memory of 4656	1096	4363463463464363463463463.exe	81
PID 1096 wrote to memory of 4204	1096	4363463463464363463463463.exe	82
PID 1096 wrote to memory of 4204	1096	4363463463464363463463463.exe	82
PID 1096 wrote to memory of 4204	1096	4363463463464363463463463.exe	82
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84
PID 4204 wrote to memory of 3532	4204	cock.exe	84

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\Files\cock.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\cock.exe

Filesize
1.2MB

MD5
bd909fb2282ec2e4a11400157c33494a

SHA1
ab693a29a38b705be8c3b29172c6ac1374463f62

SHA256
9941dc8857ef1b6ffc86f88bd755789ded1b42c6aead836e88466d97bb1db392

SHA512
81857f502dc0a3d922bd74a0fdde3958c05a743c50dc8281b5db74b593a020e5d1d65677e645a2a262bb873c523765ba7274b359ec9eaf7442db7caf5e5fdf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vorpgkadeg.exe

Filesize
239KB

MD5
4d58df8719d488378f0b6462b39d3c63

SHA1
4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118

SHA256
ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d

SHA512
73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738

Download Submit
memory/1096-1-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/1096-2-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download
memory/1096-3-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/1096-4-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/1096-12-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/1096-0-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/3532-29-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/3532-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3532-27-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/3532-28-0x0000000008140000-0x0000000008758000-memory.dmp

Filesize
6.1MB

Download
memory/3532-30-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

Filesize
1.0MB

Download
memory/3532-31-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/3532-32-0x0000000007C70000-0x0000000007CBC000-memory.dmp

Filesize
304KB

Download
memory/3532-33-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/4204-23-0x0000000000490000-0x0000000000613000-memory.dmp

Filesize
1.5MB

Download
memory/4204-26-0x0000000000490000-0x0000000000613000-memory.dmp

Filesize
1.5MB

Download
memory/4656-15-0x0000000000A70000-0x0000000000CC0000-memory.dmp

Filesize
2.3MB

Download
memory/4656-13-0x0000000000A70000-0x0000000000CC0000-memory.dmp

Filesize
2.3MB

Download

Resubmissions

Analysis