redline | b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

General

Target

b21336f35129415d339f0a8f2fc190f5.exe
Size

676KB
MD5

b21336f35129415d339f0a8f2fc190f5
SHA1

2ee98527e54dbb943f3f34046f66fbcc134be056
SHA256

b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a
SHA512

0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Score

10^/10

redline agilenet discovery infostealer persistence spyware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Documents\\drivers\\\\uplauncher.exe,"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

update.exeuplauncher.exeuplauncher.exe

pid process

824 update.exe
1948 uplauncher.exe
904 uplauncher.exe
Loads dropped DLL 3 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeupdate.exeuplauncher.exe

pid process

1272 b21336f35129415d339f0a8f2fc190f5.exe
824 update.exe
1948 uplauncher.exe

pid	process
824	update.exe
1948	uplauncher.exe
904	uplauncher.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/824-24-0x0000000000B60000-0x0000000000B81000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exe

description pid process target process

PID 1684 set thread context of 1272 1684 b21336f35129415d339f0a8f2fc190f5.exe b21336f35129415d339f0a8f2fc190f5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1684 set thread context of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeupdate.exeuplauncher.exeuplauncher.exe

pid	process
1272	b21336f35129415d339f0a8f2fc190f5.exe
1272	b21336f35129415d339f0a8f2fc190f5.exe
824	update.exe
824	update.exe
824	update.exe
1948	uplauncher.exe
1948	uplauncher.exe
1948	uplauncher.exe
904	uplauncher.exe
904	uplauncher.exe
904	uplauncher.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeupdate.exeuplauncher.exeuplauncher.exe

description	pid	process
Token: SeDebugPrivilege	1272	b21336f35129415d339f0a8f2fc190f5.exe
Token: SeDebugPrivilege	824	update.exe
Token: SeDebugPrivilege	1948	uplauncher.exe
Token: SeDebugPrivilege	904	uplauncher.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeb21336f35129415d339f0a8f2fc190f5.exeupdate.execmd.exeuplauncher.exe

description	pid	process	target process
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1684 wrote to memory of 1272	1684	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 1272 wrote to memory of 824	1272	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 824 wrote to memory of 1932	824	update.exe	cmd.exe
PID 824 wrote to memory of 1932	824	update.exe	cmd.exe
PID 824 wrote to memory of 1932	824	update.exe	cmd.exe
PID 824 wrote to memory of 1932	824	update.exe	cmd.exe
PID 1932 wrote to memory of 1168	1932	cmd.exe	reg.exe
PID 1932 wrote to memory of 1168	1932	cmd.exe	reg.exe
PID 1932 wrote to memory of 1168	1932	cmd.exe	reg.exe
PID 1932 wrote to memory of 1168	1932	cmd.exe	reg.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 824 wrote to memory of 1948	824	update.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe
PID 1948 wrote to memory of 904	1948	uplauncher.exe	uplauncher.exe

C:\Users\Admin\AppData\Local\Temp\b21336f35129415d339f0a8f2fc190f5.exe
"C:\Users\Admin\AppData\Local\Temp\b21336f35129415d339f0a8f2fc190f5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\b21336f35129415d339f0a8f2fc190f5.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
4⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
5⤵
- Modifies WinLogon for persistence
PID:1168

C:\Users\Admin\Documents\drivers\uplauncher.exe
"C:\Users\Admin\Documents\drivers\uplauncher.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\Documents\drivers\uplauncher.exe
"C:\Users\Admin\Documents\drivers\uplauncher.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
memory/824-19-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/824-27-0x0000000004E91000-0x0000000004E92000-memory.dmp

Filesize
4KB

Download
memory/824-15-0x0000000000000000-mapping.dmp

Download
memory/824-18-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/824-21-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/824-22-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/824-24-0x0000000000B60000-0x0000000000B81000-memory.dmp

Filesize
132KB

Download
memory/904-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/904-48-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/904-52-0x0000000005231000-0x0000000005232000-memory.dmp

Filesize
4KB

Download
memory/904-42-0x0000000000000000-mapping.dmp

Download
memory/904-45-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/1168-26-0x0000000000000000-mapping.dmp

Download
memory/1272-13-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1272-10-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1272-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1272-9-0x000000000041FF7A-mapping.dmp

Download
memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-3-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1684-5-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1684-6-0x0000000000440000-0x000000000044B000-memory.dmp

Filesize
44KB

Download
memory/1684-7-0x0000000004760000-0x00000000047A8000-memory.dmp

Filesize
288KB

Download
memory/1932-25-0x0000000000000000-mapping.dmp

Download
memory/1948-32-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1948-40-0x0000000004E81000-0x0000000004E82000-memory.dmp

Filesize
4KB

Download
memory/1948-36-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1948-37-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1948-34-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/1948-33-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-29-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads