redline | f9ef65133d324e1026972cbfbbe86fb0f2a4174a864dedbb45a73857770baaad

General

Target

85ef416ea4190eaf38a2697152ee6561.exe
Size

3.0MB
MD5

85ef416ea4190eaf38a2697152ee6561
SHA1

556d37b62d2068273f56a988e4aed4429d7c10f6
SHA256

f9ef65133d324e1026972cbfbbe86fb0f2a4174a864dedbb45a73857770baaad
SHA512

acc21ec3f786eaabfc1d296183e218c277fabac86345a02bf45da4c9c864a29193f6c591cc9902389e3301b021e064a2149171c434d1bf95cd62c125962fb4b7

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/604-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/604-9-0x000000000041EFCA-mapping.dmp	family_redline
behavioral1/memory/604-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

SmartScreen.exe

pid process

340 SmartScreen.exe
Loads dropped DLL 1 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

pid process

604 85ef416ea4190eaf38a2697152ee6561.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

description pid process target process

PID 1828 set thread context of 604 1828 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
340	SmartScreen.exe

pid	process
604	85ef416ea4190eaf38a2697152ee6561.exe

description	pid	process	target process
PID 1828 set thread context of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	85ef416ea4190eaf38a2697152ee6561.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	85ef416ea4190eaf38a2697152ee6561.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	85ef416ea4190eaf38a2697152ee6561.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

pid process

604 85ef416ea4190eaf38a2697152ee6561.exe
604 85ef416ea4190eaf38a2697152ee6561.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

description pid process

Token: SeDebugPrivilege 604 85ef416ea4190eaf38a2697152ee6561.exe

pid	process
604	85ef416ea4190eaf38a2697152ee6561.exe
604	85ef416ea4190eaf38a2697152ee6561.exe

description	pid	process
Token: SeDebugPrivilege	604	85ef416ea4190eaf38a2697152ee6561.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe85ef416ea4190eaf38a2697152ee6561.exe

description	pid	process	target process
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1828 wrote to memory of 604	1828	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 604 wrote to memory of 340	604	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe
PID 604 wrote to memory of 340	604	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe
PID 604 wrote to memory of 340	604	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe
PID 604 wrote to memory of 340	604	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe

C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe
"C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe
"C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe
"C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe"
3⤵
- Executes dropped EXE
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe
MD5
9b1d450411df0315c8586d9e9fed1c80

SHA1
a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83

SHA256
e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46

SHA512
7a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe
MD5
9b1d450411df0315c8586d9e9fed1c80

SHA1
a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83

SHA256
e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46

SHA512
7a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c

Download Submit
\Users\Admin\AppData\Local\Temp\SmartScreen.exe
MD5
9b1d450411df0315c8586d9e9fed1c80

SHA1
a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83

SHA256
e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46

SHA512
7a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c

Download Submit
memory/340-22-0x00000000003A0000-0x00000000003A4000-memory.dmp

Filesize
16KB

Download
memory/340-21-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/340-19-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/340-18-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/340-15-0x0000000000000000-mapping.dmp

Download
memory/604-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/604-13-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/604-10-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/604-9-0x000000000041EFCA-mapping.dmp

Download
memory/604-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1828-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1828-7-0x0000000000D60000-0x0000000000DA8000-memory.dmp

Filesize
288KB

Download
memory/1828-6-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1828-5-0x00000000004A0000-0x00000000004A3000-memory.dmp

Filesize
12KB

Download
memory/1828-3-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads