redline | 87cd820fbd3707a5c0163a68fc72eeee76d16867aefc372c19b03bf1edc0bbd7

General

Target

75be014e5cba03bc01cad324c0858808.exe
Size

777KB
MD5

75be014e5cba03bc01cad324c0858808
SHA1

ea7975231e51ed81b1f3f101580829b2cce39fc3
SHA256

87cd820fbd3707a5c0163a68fc72eeee76d16867aefc372c19b03bf1edc0bbd7
SHA512

fef33c0723c826d899480d0a880cce771a18d0582bca1a01144f7671bb47ddf45752c7e450fdb417f91919ec1c5c4b6a6b6f21546b0f0aa6590d993adaee8eea

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1932-50-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/1932-51-0x000000000042064E-mapping.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

bestof.exebestof.exe

pid process

1440 bestof.exe
1932 bestof.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
23 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

bestof.exe

description pid process target process

PID 1440 set thread context of 1932 1440 bestof.exe bestof.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1440	bestof.exe
1932	bestof.exe

flow	ioc
14	ip-api.com
23	checkip.amazonaws.com

description	pid	process	target process
PID 1440 set thread context of 1932	1440	bestof.exe	bestof.exe

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3336	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
424	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
4064	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
3140	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
1404	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
3832	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
2300	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
3768	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe
412	648	WerFault.exe	75be014e5cba03bc01cad324c0858808.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75be014e5cba03bc01cad324c0858808.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	75be014e5cba03bc01cad324c0858808.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	75be014e5cba03bc01cad324c0858808.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3308 PING.EXE

pid	process
3308	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
3336	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
424	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
4064	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
3140	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe
1404	WerFault.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exebestof.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exebestof.exe

description	pid	process
Token: SeRestorePrivilege	3336	WerFault.exe
Token: SeBackupPrivilege	3336	WerFault.exe
Token: SeDebugPrivilege	3336	WerFault.exe
Token: SeDebugPrivilege	424	WerFault.exe
Token: SeDebugPrivilege	4064	WerFault.exe
Token: SeDebugPrivilege	3140	WerFault.exe
Token: SeDebugPrivilege	1404	WerFault.exe
Token: SeDebugPrivilege	1440	bestof.exe
Token: SeDebugPrivilege	3832	WerFault.exe
Token: SeDebugPrivilege	2300	WerFault.exe
Token: SeDebugPrivilege	3768	WerFault.exe
Token: SeDebugPrivilege	412	WerFault.exe
Token: SeDebugPrivilege	1932	bestof.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

75be014e5cba03bc01cad324c0858808.exebestof.exebestof.execmd.exe

description	pid	process	target process
PID 648 wrote to memory of 1440	648	75be014e5cba03bc01cad324c0858808.exe	bestof.exe
PID 648 wrote to memory of 1440	648	75be014e5cba03bc01cad324c0858808.exe	bestof.exe
PID 648 wrote to memory of 1440	648	75be014e5cba03bc01cad324c0858808.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1440 wrote to memory of 1932	1440	bestof.exe	bestof.exe
PID 1932 wrote to memory of 4008	1932	bestof.exe	cmd.exe
PID 1932 wrote to memory of 4008	1932	bestof.exe	cmd.exe
PID 1932 wrote to memory of 4008	1932	bestof.exe	cmd.exe
PID 4008 wrote to memory of 3308	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 3308	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 3308	4008	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\75be014e5cba03bc01cad324c0858808.exe
"C:\Users\Admin\AppData\Local\Temp\75be014e5cba03bc01cad324c0858808.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 760
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 888
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1212
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1572
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1540
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
bestof.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
"C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1608
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1904
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1940
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1860
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bestof.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
MD5
ae71797ed71a11f172c9d03701ae88c7

SHA1
10a0cc04fbed99c4f0f1f908979455da6868f1eb

SHA256
0215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34

SHA512
7f6fa1d06268a9b1a3541f19f1a2636be3579d6bcb8eb6f54f53bfdd380f1a7150e32a61799aefec5b52b920e8b39213d5dacf8e24654559b1022f6fd51a5d77

Download Submit
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
MD5
ae71797ed71a11f172c9d03701ae88c7

SHA1
10a0cc04fbed99c4f0f1f908979455da6868f1eb

SHA256
0215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34

SHA512
7f6fa1d06268a9b1a3541f19f1a2636be3579d6bcb8eb6f54f53bfdd380f1a7150e32a61799aefec5b52b920e8b39213d5dacf8e24654559b1022f6fd51a5d77

Download Submit
C:\Users\Admin\AppData\Roaming\gfersesurity\bestof.exe
MD5
ae71797ed71a11f172c9d03701ae88c7

SHA1
10a0cc04fbed99c4f0f1f908979455da6868f1eb

SHA256
0215f9dd19951e07aaa5ddfed10c4b46af716a8e3ce1ccb853f0992d14ee3e34

SHA512
7f6fa1d06268a9b1a3541f19f1a2636be3579d6bcb8eb6f54f53bfdd380f1a7150e32a61799aefec5b52b920e8b39213d5dacf8e24654559b1022f6fd51a5d77

Download Submit
memory/412-44-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/412-47-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/424-6-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/424-9-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/648-1-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/648-0-0x000000000246B000-0x000000000246D000-memory.dmp

Filesize
8KB

Download
memory/1404-24-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1404-21-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1440-29-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1440-25-0x0000000000000000-mapping.dmp

Download
memory/1440-48-0x00000000051A0000-0x00000000051DA000-memory.dmp

Filesize
232KB

Download
memory/1440-49-0x0000000005300000-0x0000000005316000-memory.dmp

Filesize
88KB

Download
memory/1440-28-0x0000000072200000-0x00000000728EE000-memory.dmp

Filesize
6.9MB

Download
memory/1932-59-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1932-65-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/1932-70-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/1932-69-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/1932-68-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/1932-67-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/1932-66-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/1932-64-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/1932-63-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/1932-62-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/1932-61-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1932-60-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1932-50-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1932-51-0x000000000042064E-mapping.dmp

Download
memory/1932-58-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1932-57-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/1932-54-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-38-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2300-35-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/3140-17-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3140-20-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3308-72-0x0000000000000000-mapping.dmp

Download
memory/3336-5-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3336-2-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3336-3-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3768-43-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3768-42-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3768-39-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3832-31-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3832-34-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/4008-71-0x0000000000000000-mapping.dmp

Download
memory/4064-13-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4064-10-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads