redline | 31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe
Size

324KB
MD5

3de68c62f2c0f0e2b3011f659558518d
SHA1

33abaae2b64af2ad96e25055693da95e3261e5da
SHA256

31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f
SHA512

5c566b71c4ccb945d3270984f2ed8a39ad278cdbf2fe26181f3f5d3258b98a70d5add11aaed29ec4ee34f84d1da02a0a8b62caba62b39ebdfe3bca36282c8432

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Roaming\system.exe	family_redline
\Users\Admin\AppData\Roaming\system.exe	family_redline
C:\Users\Admin\AppData\Roaming\system.exe	family_redline
C:\Users\Admin\AppData\Roaming\system.exe	family_redline

Executes dropped EXE 3 IoCs

Processes:

kernal.dllsystem.exesvchoct.exe

pid process

876 kernal.dll
1976 system.exe
1788 svchoct.exe

pid	process
876	kernal.dll
1976	system.exe
1788	svchoct.exe

Loads dropped DLL 9 IoCs

Processes:

31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exekernal.dll

pid	process
1408	31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe
876	kernal.dll
876	kernal.dll
876	kernal.dll
876	kernal.dll
876	kernal.dll
876	kernal.dll
876	kernal.dll
876	kernal.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 1976 system.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchoct.exe

pid process

1788 svchoct.exe

description	pid	process
Token: SeDebugPrivilege	1976	system.exe

pid	process
1788	svchoct.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exekernal.dll

description	pid	process	target process
PID 1408 wrote to memory of 876	1408	31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe	kernal.dll
PID 1408 wrote to memory of 876	1408	31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe	kernal.dll
PID 1408 wrote to memory of 876	1408	31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe	kernal.dll
PID 1408 wrote to memory of 876	1408	31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe	kernal.dll
PID 876 wrote to memory of 1976	876	kernal.dll	system.exe
PID 876 wrote to memory of 1976	876	kernal.dll	system.exe
PID 876 wrote to memory of 1976	876	kernal.dll	system.exe
PID 876 wrote to memory of 1976	876	kernal.dll	system.exe
PID 876 wrote to memory of 1788	876	kernal.dll	svchoct.exe
PID 876 wrote to memory of 1788	876	kernal.dll	svchoct.exe
PID 876 wrote to memory of 1788	876	kernal.dll	svchoct.exe
PID 876 wrote to memory of 1788	876	kernal.dll	svchoct.exe

C:\Users\Admin\AppData\Local\Temp\31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe
"C:\Users\Admin\AppData\Local\Temp\31809ce612818f617e6073006810e1d29f09ba21b2e40e4dc0f7dd666d17475f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\kernal.dll
"C:\Users\Admin\AppData\Local\Temp\kernal.dll" -s -pvsgerhfbefdafsgbetdfagvfersfgrsdfgvrwsfg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Roaming\svchoct.exe
"C:\Users\Admin\AppData\Roaming\svchoct.exe"
3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kernal.dll

MD5
61d69bd9e19833d610b84f8c125ad504

SHA1
67366a627e23ee4fdf2112a1dc166acfba5f922d

SHA256
9b8593b7bb77b2a93e5c17cdf561ffc67607908a6c10d7abea545435fd588187

SHA512
7b62cf39b446de1dbea3591cb1a1216d5ee228c0e004a6e187496de7949f99bd47048c798a4fb67a46f52d708bbedff817cee0bdaf3f3c975e74357e5048054f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernal.dll

MD5
61d69bd9e19833d610b84f8c125ad504

SHA1
67366a627e23ee4fdf2112a1dc166acfba5f922d

SHA256
9b8593b7bb77b2a93e5c17cdf561ffc67607908a6c10d7abea545435fd588187

SHA512
7b62cf39b446de1dbea3591cb1a1216d5ee228c0e004a6e187496de7949f99bd47048c798a4fb67a46f52d708bbedff817cee0bdaf3f3c975e74357e5048054f

Download Submit
C:\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

MD5
ca357e1e5f117abbb020c08b263b62f2

SHA1
beff5e4e76db0bac24d839399bfff4604eece8b8

SHA256
92bb1d504b73c425045d75da68a67e964270e7be5900020d0dd6aac6b56c7434

SHA512
ea0465314f3af326104e18a1bbca36f64800fb744b049f7339d5245415f32a2777f663f9abe607401baf5b88081b85e96adfa74ddfb1e34f440b0a22adeef189

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

MD5
ca357e1e5f117abbb020c08b263b62f2

SHA1
beff5e4e76db0bac24d839399bfff4604eece8b8

SHA256
92bb1d504b73c425045d75da68a67e964270e7be5900020d0dd6aac6b56c7434

SHA512
ea0465314f3af326104e18a1bbca36f64800fb744b049f7339d5245415f32a2777f663f9abe607401baf5b88081b85e96adfa74ddfb1e34f440b0a22adeef189

Download Submit
\Users\Admin\AppData\Local\Temp\kernal.dll

MD5
61d69bd9e19833d610b84f8c125ad504

SHA1
67366a627e23ee4fdf2112a1dc166acfba5f922d

SHA256
9b8593b7bb77b2a93e5c17cdf561ffc67607908a6c10d7abea545435fd588187

SHA512
7b62cf39b446de1dbea3591cb1a1216d5ee228c0e004a6e187496de7949f99bd47048c798a4fb67a46f52d708bbedff817cee0bdaf3f3c975e74357e5048054f

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\svchoct.exe

MD5
dd0728982d03fd7d927832b249fd32ad

SHA1
83228580bf93d6d5af7151909feafcbfa4387a3a

SHA256
92b7d238cb311a561d0dfc823025262bdca07413eb8e408aca4ffab72c231e9b

SHA512
d7c159caa335e6b0d5d732e2d7e5d05cad68815745e26aed9270f9f98efbf159b46dbfb6b742046dc1ede0570e65ee10c5cd23d8b24c86f02fa10e8dab77fed6

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
ca357e1e5f117abbb020c08b263b62f2

SHA1
beff5e4e76db0bac24d839399bfff4604eece8b8

SHA256
92bb1d504b73c425045d75da68a67e964270e7be5900020d0dd6aac6b56c7434

SHA512
ea0465314f3af326104e18a1bbca36f64800fb744b049f7339d5245415f32a2777f663f9abe607401baf5b88081b85e96adfa74ddfb1e34f440b0a22adeef189

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
ca357e1e5f117abbb020c08b263b62f2

SHA1
beff5e4e76db0bac24d839399bfff4604eece8b8

SHA256
92bb1d504b73c425045d75da68a67e964270e7be5900020d0dd6aac6b56c7434

SHA512
ea0465314f3af326104e18a1bbca36f64800fb744b049f7339d5245415f32a2777f663f9abe607401baf5b88081b85e96adfa74ddfb1e34f440b0a22adeef189

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
ca357e1e5f117abbb020c08b263b62f2

SHA1
beff5e4e76db0bac24d839399bfff4604eece8b8

SHA256
92bb1d504b73c425045d75da68a67e964270e7be5900020d0dd6aac6b56c7434

SHA512
ea0465314f3af326104e18a1bbca36f64800fb744b049f7339d5245415f32a2777f663f9abe607401baf5b88081b85e96adfa74ddfb1e34f440b0a22adeef189

Download Submit
\Users\Admin\AppData\Roaming\system.exe

MD5
ca357e1e5f117abbb020c08b263b62f2

SHA1
beff5e4e76db0bac24d839399bfff4604eece8b8

SHA256
92bb1d504b73c425045d75da68a67e964270e7be5900020d0dd6aac6b56c7434

SHA512
ea0465314f3af326104e18a1bbca36f64800fb744b049f7339d5245415f32a2777f663f9abe607401baf5b88081b85e96adfa74ddfb1e34f440b0a22adeef189

Download Submit
memory/876-1-0x0000000000000000-mapping.dmp

Download
memory/1788-15-0x0000000000000000-mapping.dmp

Download
memory/1976-8-0x0000000000000000-mapping.dmp

Download
memory/1976-17-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-18-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download