redline | b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

General

Target

b21336f35129415d339f0a8f2fc190f5.exe
Size

676KB
MD5

b21336f35129415d339f0a8f2fc190f5
SHA1

2ee98527e54dbb943f3f34046f66fbcc134be056
SHA256

b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a
SHA512

0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Score

10^/10

redline agilenet discovery infostealer persistence spyware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Documents\\drivers\\\\uplauncher.exe,"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

update.exeuplauncher.exeuplauncher.exe

pid process

8 update.exe
2168 uplauncher.exe
188 uplauncher.exe

pid	process
8	update.exe
2168	uplauncher.exe
188	uplauncher.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/8-46-0x0000000006B90000-0x0000000006BB1000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exe

description pid process target process

PID 508 set thread context of 204 508 b21336f35129415d339f0a8f2fc190f5.exe b21336f35129415d339f0a8f2fc190f5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 508 set thread context of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeupdate.exeuplauncher.exeuplauncher.exe

pid	process
204	b21336f35129415d339f0a8f2fc190f5.exe
204	b21336f35129415d339f0a8f2fc190f5.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
8	update.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
2168	uplauncher.exe
188	uplauncher.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeupdate.exeuplauncher.exeuplauncher.exe

description	pid	process
Token: SeDebugPrivilege	204	b21336f35129415d339f0a8f2fc190f5.exe
Token: SeDebugPrivilege	8	update.exe
Token: SeDebugPrivilege	2168	uplauncher.exe
Token: SeDebugPrivilege	188	uplauncher.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b21336f35129415d339f0a8f2fc190f5.exeb21336f35129415d339f0a8f2fc190f5.exeupdate.execmd.exeuplauncher.exe

description	pid	process	target process
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 508 wrote to memory of 204	508	b21336f35129415d339f0a8f2fc190f5.exe	b21336f35129415d339f0a8f2fc190f5.exe
PID 204 wrote to memory of 8	204	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 204 wrote to memory of 8	204	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 204 wrote to memory of 8	204	b21336f35129415d339f0a8f2fc190f5.exe	update.exe
PID 8 wrote to memory of 3004	8	update.exe	cmd.exe
PID 8 wrote to memory of 3004	8	update.exe	cmd.exe
PID 8 wrote to memory of 3004	8	update.exe	cmd.exe
PID 3004 wrote to memory of 1000	3004	cmd.exe	reg.exe
PID 3004 wrote to memory of 1000	3004	cmd.exe	reg.exe
PID 3004 wrote to memory of 1000	3004	cmd.exe	reg.exe
PID 8 wrote to memory of 2168	8	update.exe	uplauncher.exe
PID 8 wrote to memory of 2168	8	update.exe	uplauncher.exe
PID 8 wrote to memory of 2168	8	update.exe	uplauncher.exe
PID 2168 wrote to memory of 188	2168	uplauncher.exe	uplauncher.exe
PID 2168 wrote to memory of 188	2168	uplauncher.exe	uplauncher.exe
PID 2168 wrote to memory of 188	2168	uplauncher.exe	uplauncher.exe

C:\Users\Admin\AppData\Local\Temp\b21336f35129415d339f0a8f2fc190f5.exe
"C:\Users\Admin\AppData\Local\Temp\b21336f35129415d339f0a8f2fc190f5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\b21336f35129415d339f0a8f2fc190f5.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
4⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Documents\drivers\\uplauncher.exe,"
5⤵
- Modifies WinLogon for persistence
PID:1000

C:\Users\Admin\Documents\drivers\uplauncher.exe
"C:\Users\Admin\Documents\drivers\uplauncher.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\Documents\drivers\uplauncher.exe
"C:\Users\Admin\Documents\drivers\uplauncher.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b21336f35129415d339f0a8f2fc190f5.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uplauncher.exe.log
MD5
5b650053603e6da74db3e68eb78cce7c

SHA1
c8530ff9de11aa6f7ae8f44f3225cead3a39d6ec

SHA256
0699ccdfd7be10071af5ab49cc901515e8c016712ff6a535183b27007c11b6f0

SHA512
104597b176fccc8175074064b79edadd6db91d808231038544526ed78686e0389c251967cad1c9a1ebdc844770eb09ebcb20d29db5ffd81b31339e0ba1a0c70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
C:\Users\Admin\Documents\drivers\uplauncher.exe
MD5
94d71670e23d7506db97f44644b7e231

SHA1
f0f0ded44d4ceebd080c988af04a67f8a49f1cd7

SHA256
1f063016027fb0d60e97bb27352bf56e79afc949c46729361456c64b373bdb91

SHA512
dcfb5ce64a033af7aa8e294a9df814ab72aa361f5e58eb1f8fe3e4924fb526cf60fdb7486d5aabda391e080135010a35f61b36a1611e9b3b585e4d74b6cb3b52

Download Submit
memory/8-43-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/8-51-0x0000000005251000-0x0000000005252000-memory.dmp

Filesize
4KB

Download
memory/8-33-0x0000000000000000-mapping.dmp

Download
memory/8-41-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/8-36-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/8-44-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/8-37-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/8-48-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/8-46-0x0000000006B90000-0x0000000006BB1000-memory.dmp

Filesize
132KB

Download
memory/188-81-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/188-69-0x0000000000000000-mapping.dmp

Download
memory/188-72-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/188-80-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/188-85-0x0000000004D31000-0x0000000004D32000-memory.dmp

Filesize
4KB

Download
memory/204-22-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/204-21-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/204-30-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/204-31-0x00000000058C1000-0x00000000058C2000-memory.dmp

Filesize
4KB

Download
memory/204-26-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/204-13-0x000000000041FF7A-mapping.dmp

Download
memory/204-24-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/204-25-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/204-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/204-23-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/204-18-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/204-15-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/204-20-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/204-19-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/204-27-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/508-10-0x0000000004D50000-0x0000000004D5B000-memory.dmp

Filesize
44KB

Download
memory/508-9-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/508-11-0x0000000006800000-0x0000000006848000-memory.dmp

Filesize
288KB

Download
memory/508-5-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/508-2-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/508-6-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/508-7-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/508-3-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/508-8-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1000-50-0x0000000000000000-mapping.dmp

Download
memory/2168-68-0x00000000059B1000-0x00000000059B2000-memory.dmp

Filesize
4KB

Download
memory/2168-63-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2168-62-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/2168-60-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/2168-55-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-52-0x0000000000000000-mapping.dmp

Download
memory/3004-49-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads