redline | 2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7v20201028
submitted
18-02-2021 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

169KB
MD5

874d5bd8807cebd41fd65ea12f4f9252
SHA1

d3833cf480b3d6bdd05be3e837cdebabfc6cdb5d
SHA256

2b1503e2375fcd64699867b513e8e51a6f15a1fbc461755249bff01adb658985
SHA512

b2e47db04d8bc92037e1d1492df161f1e66a75ef99e3c77b3ae6b9b74e270cb7b705f02b26ca9edf63a138244ca013fb4b7d41d4ade66404d1ec77433bbe1b48

Score

10^/10

redline discovery infostealer persistence spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1312-28-0x0000000000990000-0x00000000009BE000-memory.dmp	family_redline
behavioral1/memory/1312-36-0x0000000002480000-0x00000000024AC000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

2828555.311543656.167781992.85Windows Host.exe

pid process

1260 2828555.31
1412 1543656.16
1312 7781992.85
1816 Windows Host.exe
Loads dropped DLL 2 IoCs

Processes:

1543656.16

pid process

1412 1543656.16
1412 1543656.16
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1260	2828555.31
1412	1543656.16
1312	7781992.85
1816	Windows Host.exe

pid	process
1412	1543656.16
1412	1543656.16

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1543656.16

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	1543656.16

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2828555.31

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2828555.31
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2828555.31
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2828555.31

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2828555.317781992.85

pid process

1260 2828555.31
1260 2828555.31
1312 7781992.85
1312 7781992.85
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

installer.exe2828555.317781992.85

description pid process

Token: SeDebugPrivilege 528 installer.exe
Token: SeDebugPrivilege 1260 2828555.31
Token: SeDebugPrivilege 1312 7781992.85

pid	process
1260	2828555.31
1260	2828555.31
1312	7781992.85
1312	7781992.85

description	pid	process
Token: SeDebugPrivilege	528	installer.exe
Token: SeDebugPrivilege	1260	2828555.31
Token: SeDebugPrivilege	1312	7781992.85

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

installer.exe1543656.16

description	pid	process	target process
PID 528 wrote to memory of 1260	528	installer.exe	2828555.31
PID 528 wrote to memory of 1260	528	installer.exe	2828555.31
PID 528 wrote to memory of 1260	528	installer.exe	2828555.31
PID 528 wrote to memory of 1260	528	installer.exe	2828555.31
PID 528 wrote to memory of 1412	528	installer.exe	1543656.16
PID 528 wrote to memory of 1412	528	installer.exe	1543656.16
PID 528 wrote to memory of 1412	528	installer.exe	1543656.16
PID 528 wrote to memory of 1412	528	installer.exe	1543656.16
PID 528 wrote to memory of 1312	528	installer.exe	7781992.85
PID 528 wrote to memory of 1312	528	installer.exe	7781992.85
PID 528 wrote to memory of 1312	528	installer.exe	7781992.85
PID 528 wrote to memory of 1312	528	installer.exe	7781992.85
PID 1412 wrote to memory of 1816	1412	1543656.16	Windows Host.exe
PID 1412 wrote to memory of 1816	1412	1543656.16	Windows Host.exe
PID 1412 wrote to memory of 1816	1412	1543656.16	Windows Host.exe
PID 1412 wrote to memory of 1816	1412	1543656.16	Windows Host.exe

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\ProgramData\2828555.31
"C:\ProgramData\2828555.31"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\ProgramData\1543656.16
"C:\ProgramData\1543656.16"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
3⤵
- Executes dropped EXE
PID:1816

C:\ProgramData\7781992.85
"C:\ProgramData\7781992.85"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1543656.16
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\1543656.16
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\2828555.31
MD5
904bbb6336a78d19b515878f36544d1a

SHA1
ff2d436cfa95fd378ae4f5efd74821e636089e07

SHA256
55c2c7beacfd643cea2d690d0da9f5b76a6e9e51cc87767bb6fcd810cefc9d6c

SHA512
a4b9ed086866c2c8bf4ddd0011ab8c9c84dd69cfdb8ed4c8b02eb5605e18353d2f463b64173cb95e60705edc02f04354ff414b3e6d62c6e5f26a116a9086043a

Download Submit
C:\ProgramData\2828555.31
MD5
904bbb6336a78d19b515878f36544d1a

SHA1
ff2d436cfa95fd378ae4f5efd74821e636089e07

SHA256
55c2c7beacfd643cea2d690d0da9f5b76a6e9e51cc87767bb6fcd810cefc9d6c

SHA512
a4b9ed086866c2c8bf4ddd0011ab8c9c84dd69cfdb8ed4c8b02eb5605e18353d2f463b64173cb95e60705edc02f04354ff414b3e6d62c6e5f26a116a9086043a

Download Submit
C:\ProgramData\7781992.85
MD5
83adb9a9fc01f40b5f673552e0efd229

SHA1
e294b88bb268dc447857e182546018bbd8fafb46

SHA256
593f218cae02339ae7e02b4e5f63c06138f8596ef259e67f798d19a584a0ca1f

SHA512
8ce287738cf0a857a88fbd582d8b87acae412e75539ad48ff309ff3bc552d968e6e932aa8a6d3917c22e195e7a8a1562100c38b2ae888776ef7234b6a5167676

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
C:\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
\ProgramData\Windows Host\Windows Host.exe
MD5
6eedffd3651138e002a6a9639eca9830

SHA1
8a0c7542187471603f2ff4f8cc5977d8be44dfbe

SHA256
88304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f

SHA512
22f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a

Download Submit
memory/528-6-0x0000000000500000-0x000000000051E000-memory.dmp

Filesize
120KB

Download
memory/528-2-0x000007FEF6300000-0x000007FEF6CEC000-memory.dmp

Filesize
9.9MB

Download
memory/528-5-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/528-3-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/528-7-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/528-8-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/1260-38-0x00000000004B0000-0x00000000004E5000-memory.dmp

Filesize
212KB

Download
memory/1260-35-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1260-29-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1260-39-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1260-21-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/1260-9-0x0000000000000000-mapping.dmp

Download
memory/1260-24-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1312-19-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/1312-28-0x0000000000990000-0x00000000009BE000-memory.dmp

Filesize
184KB

Download
memory/1312-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1312-22-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/1312-18-0x00000000025A0000-0x00000000025B1000-memory.dmp

Filesize
68KB

Download
memory/1312-32-0x0000000004F21000-0x0000000004F22000-memory.dmp

Filesize
4KB

Download
memory/1312-17-0x0000000000AC0000-0x0000000000AD1000-memory.dmp

Filesize
68KB

Download
memory/1312-33-0x0000000004F22000-0x0000000004F23000-memory.dmp

Filesize
4KB

Download
memory/1312-34-0x0000000004F23000-0x0000000004F24000-memory.dmp

Filesize
4KB

Download
memory/1312-36-0x0000000002480000-0x00000000024AC000-memory.dmp

Filesize
176KB

Download
memory/1312-15-0x0000000000000000-mapping.dmp

Download
memory/1312-47-0x0000000004F24000-0x0000000004F26000-memory.dmp

Filesize
8KB

Download
memory/1412-25-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1412-37-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1412-31-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/1412-30-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1412-20-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/1412-12-0x0000000000000000-mapping.dmp

Download
memory/1816-42-0x0000000000000000-mapping.dmp

Download
memory/1816-45-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/1816-46-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1816-52-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download