Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 17:20
Static task
static1
Behavioral task
behavioral1
Sample
yollskare.zip
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
yollskare.zip
Resource
win10v2004-20240226-en
General
-
Target
yollskare.zip
-
Size
35.0MB
-
MD5
4887b175958a86cd26d2a117066a363c
-
SHA1
a168a2c626ab02254a6e4b7f00352e9ee549d4cf
-
SHA256
227447de76c7bcb29130c5b22705a2bf09bf8d648fc3448cb832ce8e6f9be15a
-
SHA512
3cb6347662cb5b16e3bf6b7b43ddf8f4a0720d00c23ffd7c0ff4d14fdca5860284ca2b91e5d6c348d5845736206f87eb4792771efab8c3ebb45a8b41d29f2d98
-
SSDEEP
786432:hMuCrZX2d1wN+KLj/BMWCJd/B2VgmrJD4KrtQHRfekgr5B+pe7Q/2bFK9+O++vtZ:qGd6N+k/ed/B8gcCKWRKvu2JK/
Malware Config
Extracted
redline
185.196.9.26:6302
Extracted
lumma
https://employeedscratshj.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4404-2399-0x0000000000800000-0x0000000000850000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
Processes:
devoscart1.exedevoscart2.exepid process 2004 devoscart1.exe 3448 devoscart2.exe -
Loads dropped DLL 2 IoCs
Processes:
devoscart1.exedevoscart2.exepid process 2004 devoscart1.exe 3448 devoscart2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
devoscart1.exedevoscart2.exedescription pid process target process PID 2004 set thread context of 4404 2004 devoscart1.exe MSBuild.exe PID 3448 set thread context of 2148 3448 devoscart2.exe aspnet_regiis.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
MSBuild.exepid process 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe 4404 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2368 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zFM.exe7zFM.exeMSBuild.exedescription pid process Token: SeRestorePrivilege 728 7zFM.exe Token: 35 728 7zFM.exe Token: SeRestorePrivilege 2368 7zFM.exe Token: 35 2368 7zFM.exe Token: SeSecurityPrivilege 2368 7zFM.exe Token: SeDebugPrivilege 4404 MSBuild.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7zFM.exe7zFM.exepid process 728 7zFM.exe 2368 7zFM.exe 2368 7zFM.exe 2368 7zFM.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
devoscart1.exedevoscart2.exedescription pid process target process PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 2004 wrote to memory of 4404 2004 devoscart1.exe MSBuild.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe PID 3448 wrote to memory of 2148 3448 devoscart2.exe aspnet_regiis.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\yollskare.zip1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\PopEnter.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_yollskare.zip\vakeboard.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\vakeboard\devoscart1.exe"C:\Users\Admin\Desktop\vakeboard\devoscart1.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\vakeboard\devoscart2.exe"C:\Users\Admin\Desktop\vakeboard\devoscart2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zE0491E219\vakeboard\data\allonator\eyes\test\bg.pak.infoFilesize
554KB
MD58a679c02bfbb88c2760ca0d962c0b1c8
SHA170b1528af5c62336043b2531fa7b477f9412278d
SHA256bda7bd9f39a00b007f21a4e9b82fcd2267f4dfbd53800379210ab4f91e982529
SHA512df1031975a8acdcc471638dc21642c5081c9edb704382fd05c63ca638c61c637ceb97a480a18cfd3a1c784c020a2f2cf853f8c9bad5e3b3e3857c7ee25ea26a3
-
C:\Users\Admin\AppData\Local\Temp\7zE0491E219\vakeboard\data\allonator\ipv6\lib\browser\jsbn.jsFilesize
14KB
MD52a4325e2473367762683c8cfaa431e5e
SHA1cd9abab16600becbbd25dbd460de044f8ec6835d
SHA25661de67d61cf9977a30ebbd11f82570d4472620e3e15af06e4c6564d96faa091a
SHA5124c0132997381bbf074232857874ef0bf052f42be78abe23ea9c30c10735292f1580710df63c8eb78ae70979db301d43fb53ca3ceadc4bda4dcd7fabe13fac8db
-
C:\Users\Admin\AppData\Local\Temp\7zE0491E219\vakeboard\data\teans\locale\sl\LC_MESSAGES\vlc.moFilesize
587KB
MD557df9e2d44f84a5e7e87c90f68315065
SHA19970f89466e835133c9c32359d5ae50335b44bb2
SHA2565d0aac392bbefee9db6dfcadef1d10c58e047cad3b49a45eb2dd1b2e99fe8efc
SHA51268e80de2f7cd5b65ace061aecf897cdd1106afb52b6aa6a4736f26392bdfec2cb1b055820659c1c6922368c13ffdd86dd807731110916c82ae8ca167601beb1b
-
C:\Users\Admin\AppData\Roaming\d3d9.dllFilesize
419KB
MD588dafe97bd572d99687b75b73b802142
SHA1bd93f0ddd324bb36947fe6d536eb7c926042af48
SHA2560d777d8460555f21cede4f74eaac43112471dc1a1ab8750becc218ecfb760605
SHA5128d2fe96b05ede3151797cb7cdcbabca782a816f5bd86dc6f959a56c420f6f60a909088e5e1388f3df192da447e76f3140ca1704dafc7950770ee473fbf27e985
-
C:\Users\Admin\AppData\Roaming\d3d9.dllFilesize
424KB
MD52f0aea36f4a2fb2ea61aa91ab095434d
SHA1f51f0c9438911270b98d43e9c67dde4fa28183b0
SHA256b0c3bd026ff77bcf5d8bc3f8fdeac4fab69fdb1617474cec91b78bd07736886e
SHA51250813c0dd6e89403da7dd281f4c3414c5198b67ab1032b0bfb13d589454bd0e75abe37aa24740268d452453ffd7689b902578eebc7248fcdd09056569cfd5831
-
C:\Users\Admin\Desktop\vakeboard\devoscart1.exeFilesize
1.5MB
MD5e0dd6e92acb812288757a0084faa49d1
SHA1a11722441cc8036036222821e0f0b161c9e33d06
SHA256db5b39f624a7c0de87da23fb3d073f2f31da072a8c0af6a46669e69f96a111cf
SHA51267c92ebe6ad1ef84649aa51730b3b2066b8065099807bb21d175b0cd171c50f3f4f73ff1a46f8f778841f727734e3e1fd0235927a3b02c55cdf4a7ed445073c1
-
C:\Users\Admin\Desktop\vakeboard\devoscart2.exeFilesize
1.5MB
MD59aa54e2c5aa32236e901e17b88058499
SHA1ba4c2a7c6a0fb81ad9a439e1c4d4e85c150d96f3
SHA256a101ee722996df142c3e75bd65ef49dfc9b0dce802cd6a6dbc6364ff774d2705
SHA512aab2cf956d0084509174b1ca5c82128a0afad375f6151b0509922939915158fe0a995e32ce5321297e1dfc19241c8e9fe9244e982752cc86dea4de501b8dcc39
-
memory/2004-2392-0x0000000000F80000-0x0000000001114000-memory.dmpFilesize
1.6MB
-
memory/2148-2415-0x0000000000780000-0x00000000007D4000-memory.dmpFilesize
336KB
-
memory/2148-2419-0x0000000000780000-0x00000000007D4000-memory.dmpFilesize
336KB
-
memory/2148-2414-0x0000000000780000-0x00000000007D4000-memory.dmpFilesize
336KB
-
memory/3448-2406-0x0000000000770000-0x00000000008FE000-memory.dmpFilesize
1.6MB
-
memory/4404-2399-0x0000000000800000-0x0000000000850000-memory.dmpFilesize
320KB
-
memory/4404-2403-0x0000000004DE0000-0x0000000004DEA000-memory.dmpFilesize
40KB
-
memory/4404-2402-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/4404-2401-0x00000000051F0000-0x0000000005794000-memory.dmpFilesize
5.6MB
-
memory/4404-2420-0x0000000005DC0000-0x00000000063D8000-memory.dmpFilesize
6.1MB
-
memory/4404-2421-0x00000000050E0000-0x00000000051EA000-memory.dmpFilesize
1.0MB
-
memory/4404-2422-0x0000000004FD0000-0x0000000004FE2000-memory.dmpFilesize
72KB
-
memory/4404-2423-0x0000000004FF0000-0x000000000502C000-memory.dmpFilesize
240KB
-
memory/4404-2424-0x0000000005070000-0x00000000050BC000-memory.dmpFilesize
304KB
-
memory/4404-2425-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/4404-2426-0x00000000066B0000-0x0000000006700000-memory.dmpFilesize
320KB
-
memory/4404-2427-0x0000000006C20000-0x0000000006DE2000-memory.dmpFilesize
1.8MB
-
memory/4404-2428-0x0000000007320000-0x000000000784C000-memory.dmpFilesize
5.2MB