redline | afc5d1c659bc8b4d23ab16bd112dce9bcdada2d17f7bcbc589290cbb8cb281c3

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
03-03-2021 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea2e0d879ab44e51905b09180034dda.exe
Size

7.6MB
MD5

eea2e0d879ab44e51905b09180034dda
SHA1

75a4828f2005b89eb42a42ff304d23ca4e627bc2
SHA256

afc5d1c659bc8b4d23ab16bd112dce9bcdada2d17f7bcbc589290cbb8cb281c3
SHA512

28b571490a776385a285d8799c2f950fad49356f3e7fa603fea3409bc6b7ca0323479eb5a7a2238326f17794c5c25a5381cf037b89ead267123932a90c3da09a

Score

10^/10

redline discovery evasion infostealer spyware trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

_7zipd.exeProtonVPNs.exe_7zipd.exe7zip.exe7zip.exe7zip.exe

pid process

1992 _7zipd.exe
1792 ProtonVPNs.exe
1708 _7zipd.exe
1544 7zip.exe
1644 7zip.exe
2004 7zip.exe
Loads dropped DLL 4 IoCs

Processes:

eea2e0d879ab44e51905b09180034dda.exe_7zipd.exe_7zipd.exe

pid process

1924 eea2e0d879ab44e51905b09180034dda.exe
1924 eea2e0d879ab44e51905b09180034dda.exe
1992 _7zipd.exe
1708 _7zipd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1992	_7zipd.exe
1792	ProtonVPNs.exe
1708	_7zipd.exe
1544	7zip.exe
1644	7zip.exe
2004	7zip.exe

pid	process
1924	eea2e0d879ab44e51905b09180034dda.exe
1924	eea2e0d879ab44e51905b09180034dda.exe
1992	_7zipd.exe
1708	_7zipd.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

_7zipd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_7zipd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

_7zipd.exe7zip.exe

description	pid	process	target process
PID 1992 set thread context of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1544 set thread context of 2004	1544	7zip.exe	7zip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1388 taskkill.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

_7zipd.exe7zip.exe7zip.exe

pid process

1708 _7zipd.exe
1708 _7zipd.exe
1708 _7zipd.exe
1544 7zip.exe
1544 7zip.exe
2004 7zip.exe
2004 7zip.exe

pid	process
1388	taskkill.exe

pid	process
1708	_7zipd.exe
1708	_7zipd.exe
1708	_7zipd.exe
1544	7zip.exe
1544	7zip.exe
2004	7zip.exe
2004	7zip.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

_7zipd.exetaskkill.exe7zip.exe7zip.exe

description	pid	process
Token: SeDebugPrivilege	1708	_7zipd.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1544	7zip.exe
Token: SeDebugPrivilege	2004	7zip.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

eea2e0d879ab44e51905b09180034dda.exe_7zipd.exe_7zipd.execmd.exe7zip.exe

description	pid	process	target process
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1992	1924	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 1924 wrote to memory of 1792	1924	eea2e0d879ab44e51905b09180034dda.exe	ProtonVPNs.exe
PID 1924 wrote to memory of 1792	1924	eea2e0d879ab44e51905b09180034dda.exe	ProtonVPNs.exe
PID 1924 wrote to memory of 1792	1924	eea2e0d879ab44e51905b09180034dda.exe	ProtonVPNs.exe
PID 1924 wrote to memory of 1792	1924	eea2e0d879ab44e51905b09180034dda.exe	ProtonVPNs.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1992 wrote to memory of 1708	1992	_7zipd.exe	_7zipd.exe
PID 1708 wrote to memory of 1544	1708	_7zipd.exe	7zip.exe
PID 1708 wrote to memory of 1544	1708	_7zipd.exe	7zip.exe
PID 1708 wrote to memory of 1544	1708	_7zipd.exe	7zip.exe
PID 1708 wrote to memory of 1544	1708	_7zipd.exe	7zip.exe
PID 1708 wrote to memory of 1116	1708	_7zipd.exe	cmd.exe
PID 1708 wrote to memory of 1116	1708	_7zipd.exe	cmd.exe
PID 1708 wrote to memory of 1116	1708	_7zipd.exe	cmd.exe
PID 1708 wrote to memory of 1116	1708	_7zipd.exe	cmd.exe
PID 1116 wrote to memory of 1388	1116	cmd.exe	taskkill.exe
PID 1116 wrote to memory of 1388	1116	cmd.exe	taskkill.exe
PID 1116 wrote to memory of 1388	1116	cmd.exe	taskkill.exe
PID 1116 wrote to memory of 1388	1116	cmd.exe	taskkill.exe
PID 1116 wrote to memory of 1548	1116	cmd.exe	choice.exe
PID 1116 wrote to memory of 1548	1116	cmd.exe	choice.exe
PID 1116 wrote to memory of 1548	1116	cmd.exe	choice.exe
PID 1116 wrote to memory of 1548	1116	cmd.exe	choice.exe
PID 1544 wrote to memory of 1644	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 1644	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 1644	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 1644	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe
PID 1544 wrote to memory of 2004	1544	7zip.exe	7zip.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

_7zipd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0"	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_7zipd.exe

C:\Users\Admin\AppData\Local\Temp\eea2e0d879ab44e51905b09180034dda.exe
"C:\Users\Admin\AppData\Local\Temp\eea2e0d879ab44e51905b09180034dda.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\ProgramData\_7zipd.exe
"C:\ProgramData\_7zipd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\ProgramData\_7zipd.exe
"C:\ProgramData\_7zipd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708

C:\Users\Admin\Downloads\7zip.exe
"C:\Users\Admin\Downloads\7zip.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\Downloads\7zip.exe
"{path}"
5⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\Downloads\7zip.exe
"{path}"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" "1708" "C:\ProgramData\_7zipd.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID "1708"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1548

C:\ProgramData\ProtonVPNs.exe
"C:\ProgramData\ProtonVPNs.exe"
2⤵
- Executes dropped EXE
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ProtonVPNs.exe
MD5
bbdfa1d6790c663a569fc5b8dfecf810

SHA1
2191504f2a05f6b17b9476c4c7e005f8d3618f3a

SHA256
21feafefb5eff856a47945000c079d7c8954caf877b03a31b34ea9a546da3d33

SHA512
9f7e16d3bb3244557f0b2c826c18dabf199a81aff7b70b3d4bd1aa9d3e7a79a4bab1cb2c0c731744fcf2e1b24c56c48d1e90b13c8cbd2f9a453d5f7e0366fdea

Download Submit
C:\ProgramData\ProtonVPNs.exe
MD5
bbdfa1d6790c663a569fc5b8dfecf810

SHA1
2191504f2a05f6b17b9476c4c7e005f8d3618f3a

SHA256
21feafefb5eff856a47945000c079d7c8954caf877b03a31b34ea9a546da3d33

SHA512
9f7e16d3bb3244557f0b2c826c18dabf199a81aff7b70b3d4bd1aa9d3e7a79a4bab1cb2c0c731744fcf2e1b24c56c48d1e90b13c8cbd2f9a453d5f7e0366fdea

Download Submit
C:\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
C:\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
C:\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remove.bat
MD5
aa5f6a4940898fad87b5c5ca4897d554

SHA1
6a217ccd48b44c55e743031be5bdd44c0cac8a7b

SHA256
be5a0877f129f752ebb2c0d8e598864a4ee7f220a87bd751e89fc2004b06b48f

SHA512
9c4b41f8654e7c656a2616ec1e2888f3fe4b8c35ac842aabf130881d4e4980154ef5ca75e7532714af5b8cbd588fe48e022e81af54c0ef03921e2c7229a24f3b

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
\ProgramData\ProtonVPNs.exe
MD5
bbdfa1d6790c663a569fc5b8dfecf810

SHA1
2191504f2a05f6b17b9476c4c7e005f8d3618f3a

SHA256
21feafefb5eff856a47945000c079d7c8954caf877b03a31b34ea9a546da3d33

SHA512
9f7e16d3bb3244557f0b2c826c18dabf199a81aff7b70b3d4bd1aa9d3e7a79a4bab1cb2c0c731744fcf2e1b24c56c48d1e90b13c8cbd2f9a453d5f7e0366fdea

Download Submit
\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
memory/1116-36-0x0000000000000000-mapping.dmp

Download
memory/1388-40-0x0000000000000000-mapping.dmp

Download
memory/1544-44-0x0000000000F10000-0x0000000000F58000-memory.dmp

Filesize
288KB

Download
memory/1544-32-0x0000000000000000-mapping.dmp

Download
memory/1544-35-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1544-43-0x00000000004D0000-0x00000000004DB000-memory.dmp

Filesize
44KB

Download
memory/1544-37-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1544-41-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1548-42-0x0000000000000000-mapping.dmp

Download
memory/1708-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1708-27-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1708-30-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1708-25-0x00000000004067BA-mapping.dmp

Download
memory/1792-17-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-18-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1792-14-0x0000000000000000-mapping.dmp

Download
memory/1924-3-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/1924-5-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1924-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-10-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-22-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/1992-20-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1992-21-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1992-11-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1992-7-0x0000000000000000-mapping.dmp

Download
memory/2004-46-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2004-47-0x000000000041FF7A-mapping.dmp

Download
memory/2004-49-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-50-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2004-52-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download