redline | c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615

General

Target

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe
Size

326KB
MD5

c4a89a02b450d3d1a68f3e51ec6d9d1d
SHA1

494a01d18a3cb20f58af0443529167106e16aea7
SHA256

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615
SHA512

709ccae6fe172fe221603b32f68c4f8d0a4806b6fa49e8165d1974d334bcb56101b0cc48f8792e80b89f4671cd56eda50d0819881e1a61a0924b69b39161401c

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\system.exe	family_redline
C:\Users\Admin\AppData\Roaming\system.exe	family_redline
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe	family_redline
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe	family_redline

Executes dropped EXE 4 IoCs

Processes:

kernal.dllsystem.exesvchoct.exechrome.exe

pid process

1000 kernal.dll
212 system.exe
2292 svchoct.exe
3504 chrome.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 checkip.amazonaws.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 2292 WerFault.exe svchoct.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2176 PING.EXE
3884 PING.EXE

pid	process
1000	kernal.dll
212	system.exe
2292	svchoct.exe
3504	chrome.exe

flow	ioc
23	checkip.amazonaws.com

pid	pid_target	process	target process
1080	2292	WerFault.exe	svchoct.exe

pid	process
2176	PING.EXE
3884	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

WerFault.exechrome.exe

pid	process
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
3504	chrome.exe
3504	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1080	WerFault.exe
Token: SeBackupPrivilege	1080	WerFault.exe
Token: SeDebugPrivilege	1080	WerFault.exe
Token: SeDebugPrivilege	3504	chrome.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exekernal.dllsystem.execmd.exechrome.execmd.exe

description	pid	process	target process
PID 428 wrote to memory of 1000	428	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 428 wrote to memory of 1000	428	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 428 wrote to memory of 1000	428	c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe	kernal.dll
PID 1000 wrote to memory of 212	1000	kernal.dll	system.exe
PID 1000 wrote to memory of 212	1000	kernal.dll	system.exe
PID 1000 wrote to memory of 212	1000	kernal.dll	system.exe
PID 1000 wrote to memory of 2292	1000	kernal.dll	svchoct.exe
PID 1000 wrote to memory of 2292	1000	kernal.dll	svchoct.exe
PID 1000 wrote to memory of 2292	1000	kernal.dll	svchoct.exe
PID 212 wrote to memory of 3504	212	system.exe	chrome.exe
PID 212 wrote to memory of 3504	212	system.exe	chrome.exe
PID 212 wrote to memory of 3504	212	system.exe	chrome.exe
PID 212 wrote to memory of 2296	212	system.exe	cmd.exe
PID 212 wrote to memory of 2296	212	system.exe	cmd.exe
PID 212 wrote to memory of 2296	212	system.exe	cmd.exe
PID 2296 wrote to memory of 2176	2296	cmd.exe	PING.EXE
PID 2296 wrote to memory of 2176	2296	cmd.exe	PING.EXE
PID 2296 wrote to memory of 2176	2296	cmd.exe	PING.EXE
PID 3504 wrote to memory of 1496	3504	chrome.exe	cmd.exe
PID 3504 wrote to memory of 1496	3504	chrome.exe	cmd.exe
PID 3504 wrote to memory of 1496	3504	chrome.exe	cmd.exe
PID 1496 wrote to memory of 3884	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 3884	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 3884	1496	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe
"C:\Users\Admin\AppData\Local\Temp\c36731bbbdf8acb5750c33bef71b6cbf5efa76f0365ca9a2856499dda7913615.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\kernal.dll
"C:\Users\Admin\AppData\Local\Temp\kernal.dll" -s -pvsgerhfbefdafsgbetdfagvfersfgrsdfgvrwsfg
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:3884

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Roaming\system.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:2176

C:\Users\Admin\AppData\Roaming\svchoct.exe
"C:\Users\Admin\AppData\Roaming\svchoct.exe"
3⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 292
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\chrome.exe
MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernal.dll
MD5
40d20e2d47f03e7dd847ff21443b1ced

SHA1
af7b0e78199bb32c1b2e92fe0bbd3805d7e5a28f

SHA256
635b5f52e6bda96f21f716e6aee45caafbe2f90b50e06e4b2ef0a88f7330fbde

SHA512
30aea2424ed473c31e2f35305f9aac06adca8d86a02e115e30b27f8840986aad8cb1cd850bd0cabc11e1a3f5173857f8d90534d4102cf9ea12f451d3b38119e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernal.dll
MD5
40d20e2d47f03e7dd847ff21443b1ced

SHA1
af7b0e78199bb32c1b2e92fe0bbd3805d7e5a28f

SHA256
635b5f52e6bda96f21f716e6aee45caafbe2f90b50e06e4b2ef0a88f7330fbde

SHA512
30aea2424ed473c31e2f35305f9aac06adca8d86a02e115e30b27f8840986aad8cb1cd850bd0cabc11e1a3f5173857f8d90534d4102cf9ea12f451d3b38119e8

Download Submit
C:\Users\Admin\AppData\Roaming\svchoct.exe
MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
C:\Users\Admin\AppData\Roaming\svchoct.exe
MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe
MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe
MD5
88004ace8eeacc107bcdded973703d92

SHA1
565e46a26f095ddd7a883111fd2a5efc2c18e0aa

SHA256
d887429d2232e10c0fcff195c6f1c8d0b079a6e2ce3822d6c96a12514716844e

SHA512
847df567adeb3406df04aa4341fe8ddaa7a8ed711a785b7f037c0bd977843ed9b50cb9c4a1752d70ba0fa912fce035cb4abdd23b80407671a759731914ececa8

Download Submit
memory/212-10-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/212-9-0x00000000719A0000-0x000000007208E000-memory.dmp

Filesize
6.9MB

Download
memory/212-3-0x0000000000000000-mapping.dmp

Download
memory/1000-0-0x0000000000000000-mapping.dmp

Download
memory/1080-12-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1080-26-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/1496-85-0x0000000000000000-mapping.dmp

Download
memory/2176-20-0x0000000000000000-mapping.dmp

Download
memory/2292-24-0x0000000000000000-mapping.dmp

Download
memory/2292-6-0x0000000000000000-mapping.dmp

Download
memory/2292-73-0x0000000000000000-mapping.dmp

Download
memory/2292-72-0x0000000000000000-mapping.dmp

Download
memory/2296-19-0x0000000000000000-mapping.dmp

Download
memory/3504-21-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3504-23-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3504-22-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3504-16-0x00000000719A0000-0x000000007208E000-memory.dmp

Filesize
6.9MB

Download
memory/3504-74-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3504-75-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/3504-76-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/3504-77-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/3504-78-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/3504-79-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/3504-80-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/3504-81-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/3504-82-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/3504-83-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3504-84-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/3504-13-0x0000000000000000-mapping.dmp

Download
memory/3884-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads