redline | c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe
Size

326KB
MD5

c4a89a02b450d3d1a68f3e51ec6d9d1d
SHA1

494a01d18a3cb20f58af0443529167106e16aea7
SHA256

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615
SHA512

709ccae6fe172fe221603b32f68c4f8d0a4806b6fa49e8165d1974d334bcb56101b0cc48f8792e80b89f4671cd56eda50d0819881e1a61a0924b69b39161401c

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Roaming\system.exe	family_redline
C:\Users\Admin\AppData\Roaming\system.exe	family_redline
C:\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe	family_redline
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe	family_redline
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe	family_redline

Executes dropped EXE 4 IoCs

Processes:

kernal.dllsystem.exesvchoct.exechrome.exe

pid process

1176 kernal.dll
2008 system.exe
1796 svchoct.exe
1720 chrome.exe

pid	process
1176	kernal.dll
2008	system.exe
1796	svchoct.exe
1720	chrome.exe

Loads dropped DLL 10 IoCs

Processes:

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exekernal.dllsystem.exe

pid	process
1980	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe
1176	kernal.dll
1176	kernal.dll
1176	kernal.dll
1176	kernal.dll
1176	kernal.dll
1176	kernal.dll
1176	kernal.dll
1176	kernal.dll
2008	system.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.amazonaws.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

324 PING.EXE
1752 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1720 chrome.exe
1720 chrome.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 1720 chrome.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchoct.exe

pid process

1796 svchoct.exe

flow	ioc
10	checkip.amazonaws.com

pid	process
324	PING.EXE
1752	PING.EXE

pid	process
1720	chrome.exe
1720	chrome.exe

description	pid	process
Token: SeDebugPrivilege	1720	chrome.exe

pid	process
1796	svchoct.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exekernal.dllsystem.execmd.exechrome.execmd.exe

description	pid	process	target process
PID 1980 wrote to memory of 1176	1980	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 1980 wrote to memory of 1176	1980	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 1980 wrote to memory of 1176	1980	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 1980 wrote to memory of 1176	1980	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 1176 wrote to memory of 2008	1176	kernal.dll	system.exe
PID 1176 wrote to memory of 2008	1176	kernal.dll	system.exe
PID 1176 wrote to memory of 2008	1176	kernal.dll	system.exe
PID 1176 wrote to memory of 2008	1176	kernal.dll	system.exe
PID 1176 wrote to memory of 1796	1176	kernal.dll	svchoct.exe
PID 1176 wrote to memory of 1796	1176	kernal.dll	svchoct.exe
PID 1176 wrote to memory of 1796	1176	kernal.dll	svchoct.exe
PID 1176 wrote to memory of 1796	1176	kernal.dll	svchoct.exe
PID 2008 wrote to memory of 1720	2008	system.exe	chrome.exe
PID 2008 wrote to memory of 1720	2008	system.exe	chrome.exe
PID 2008 wrote to memory of 1720	2008	system.exe	chrome.exe
PID 2008 wrote to memory of 1720	2008	system.exe	chrome.exe
PID 2008 wrote to memory of 868	2008	system.exe	cmd.exe
PID 2008 wrote to memory of 868	2008	system.exe	cmd.exe
PID 2008 wrote to memory of 868	2008	system.exe	cmd.exe
PID 2008 wrote to memory of 868	2008	system.exe	cmd.exe
PID 868 wrote to memory of 324	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 324	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 324	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 324	868	cmd.exe	PING.EXE
PID 1720 wrote to memory of 2028	1720	chrome.exe	cmd.exe
PID 1720 wrote to memory of 2028	1720	chrome.exe	cmd.exe
PID 1720 wrote to memory of 2028	1720	chrome.exe	cmd.exe
PID 1720 wrote to memory of 2028	1720	chrome.exe	cmd.exe
PID 2028 wrote to memory of 1752	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1752	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1752	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1752	2028	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe
"C:\Users\Admin\AppData\Local\Temp\c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\kernal.dll
"C:\Users\Admin\AppData\Local\Temp\kernal.dll" -s -pvsgerhfbefdafsgbetdfagvfersfgrsdfgvrwsfg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:1752

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Roaming\system.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:324

C:\Users\Admin\AppData\Roaming\svchoct.exe
"C:\Users\Admin\AppData\Roaming\svchoct.exe"
3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernal.dll

MD5
40d20e2d47f03e7dd847ff21443b1ced

SHA1
af7b0e78199bb32c1b2e92fe0bbd3805d7e5a28f

SHA256
635b5f52e6bda96f21f716e6aee45caafbe2f90b50e06e4b2ef0a88f7330fbde

SHA512
30aea2424ed473c31e2f35305f9aac06adca8d86a02e115e30b27f8840986aad8cb1cd850bd0cabc11e1a3f5173857f8d90534d4102cf9ea12f451d3b38119e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernal.dll

MD5
40d20e2d47f03e7dd847ff21443b1ced

SHA1
af7b0e78199bb32c1b2e92fe0bbd3805d7e5a28f

SHA256
635b5f52e6bda96f21f716e6aee45caafbe2f90b50e06e4b2ef0a88f7330fbde

SHA512
30aea2424ed473c31e2f35305f9aac06adca8d86a02e115e30b27f8840986aad8cb1cd850bd0cabc11e1a3f5173857f8d90534d4102cf9ea12f451d3b38119e8

Download Submit
C:\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
\Users\Admin\AppData\Local\Temp\kernal.dll

MD5
40d20e2d47f03e7dd847ff21443b1ced

SHA1
af7b0e78199bb32c1b2e92fe0bbd3805d7e5a28f

SHA256
635b5f52e6bda96f21f716e6aee45caafbe2f90b50e06e4b2ef0a88f7330fbde

SHA512
30aea2424ed473c31e2f35305f9aac06adca8d86a02e115e30b27f8840986aad8cb1cd850bd0cabc11e1a3f5173857f8d90534d4102cf9ea12f451d3b38119e8

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
memory/324-28-0x0000000000000000-mapping.dmp

Download
memory/868-27-0x0000000000000000-mapping.dmp

Download
memory/1176-1-0x0000000000000000-mapping.dmp

Download
memory/1720-24-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-21-0x0000000000000000-mapping.dmp

Download
memory/1720-25-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1752-30-0x0000000000000000-mapping.dmp

Download
memory/1796-15-0x0000000000000000-mapping.dmp

Download
memory/2008-18-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2008-8-0x0000000000000000-mapping.dmp

Download
memory/2008-17-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-29-0x0000000000000000-mapping.dmp

Download