redline | afc5d1c659bc8b4d23ab16bd112dce9bcdada2d17f7bcbc589290cbb8cb281c3

Analysis

max time kernel
81s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
03-03-2021 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea2e0d879ab44e51905b09180034dda.exe
Size

7.6MB
MD5

eea2e0d879ab44e51905b09180034dda
SHA1

75a4828f2005b89eb42a42ff304d23ca4e627bc2
SHA256

afc5d1c659bc8b4d23ab16bd112dce9bcdada2d17f7bcbc589290cbb8cb281c3
SHA512

28b571490a776385a285d8799c2f950fad49356f3e7fa603fea3409bc6b7ca0323479eb5a7a2238326f17794c5c25a5381cf037b89ead267123932a90c3da09a

Score

10^/10

redline discovery evasion infostealer spyware trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

_7zipd.exeProtonVPNs.exe_7zipd.exe7zip.exe7zip.exe7zip.exe

pid process

3628 _7zipd.exe
2192 ProtonVPNs.exe
188 _7zipd.exe
4084 7zip.exe
2868 7zip.exe
2200 7zip.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3628	_7zipd.exe
2192	ProtonVPNs.exe
188	_7zipd.exe
4084	7zip.exe
2868	7zip.exe
2200	7zip.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

_7zipd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_7zipd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

_7zipd.exe7zip.exe

description pid process target process

PID 3628 set thread context of 188 3628 _7zipd.exe _7zipd.exe
PID 4084 set thread context of 2200 4084 7zip.exe 7zip.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2548 taskkill.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

_7zipd.exe7zip.exe7zip.exe

pid process

188 _7zipd.exe
188 _7zipd.exe
188 _7zipd.exe
4084 7zip.exe
4084 7zip.exe
2200 7zip.exe
2200 7zip.exe

description	pid	process	target process
PID 3628 set thread context of 188	3628	_7zipd.exe	_7zipd.exe
PID 4084 set thread context of 2200	4084	7zip.exe	7zip.exe

pid	process
2548	taskkill.exe

pid	process
188	_7zipd.exe
188	_7zipd.exe
188	_7zipd.exe
4084	7zip.exe
4084	7zip.exe
2200	7zip.exe
2200	7zip.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

_7zipd.exetaskkill.exe7zip.exe7zip.exe

description	pid	process
Token: SeDebugPrivilege	188	_7zipd.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	4084	7zip.exe
Token: SeDebugPrivilege	2200	7zip.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

eea2e0d879ab44e51905b09180034dda.exe_7zipd.exe_7zipd.execmd.exe7zip.exe

description	pid	process	target process
PID 412 wrote to memory of 3628	412	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 412 wrote to memory of 3628	412	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 412 wrote to memory of 3628	412	eea2e0d879ab44e51905b09180034dda.exe	_7zipd.exe
PID 412 wrote to memory of 2192	412	eea2e0d879ab44e51905b09180034dda.exe	ProtonVPNs.exe
PID 412 wrote to memory of 2192	412	eea2e0d879ab44e51905b09180034dda.exe	ProtonVPNs.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 3628 wrote to memory of 188	3628	_7zipd.exe	_7zipd.exe
PID 188 wrote to memory of 4084	188	_7zipd.exe	7zip.exe
PID 188 wrote to memory of 4084	188	_7zipd.exe	7zip.exe
PID 188 wrote to memory of 4084	188	_7zipd.exe	7zip.exe
PID 188 wrote to memory of 2236	188	_7zipd.exe	cmd.exe
PID 188 wrote to memory of 2236	188	_7zipd.exe	cmd.exe
PID 188 wrote to memory of 2236	188	_7zipd.exe	cmd.exe
PID 2236 wrote to memory of 2548	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 2548	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 2548	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 3908	2236	cmd.exe	choice.exe
PID 2236 wrote to memory of 3908	2236	cmd.exe	choice.exe
PID 2236 wrote to memory of 3908	2236	cmd.exe	choice.exe
PID 4084 wrote to memory of 2868	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2868	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2868	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe
PID 4084 wrote to memory of 2200	4084	7zip.exe	7zip.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

_7zipd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0"	_7zipd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	_7zipd.exe

C:\Users\Admin\AppData\Local\Temp\eea2e0d879ab44e51905b09180034dda.exe
"C:\Users\Admin\AppData\Local\Temp\eea2e0d879ab44e51905b09180034dda.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\ProgramData\_7zipd.exe
"C:\ProgramData\_7zipd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628

C:\ProgramData\_7zipd.exe
"C:\ProgramData\_7zipd.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:188

C:\Users\Admin\Downloads\7zip.exe
"C:\Users\Admin\Downloads\7zip.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\Downloads\7zip.exe
"{path}"
5⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\Downloads\7zip.exe
"{path}"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" "188" "C:\ProgramData\_7zipd.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID "188"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3908

C:\ProgramData\ProtonVPNs.exe
"C:\ProgramData\ProtonVPNs.exe"
2⤵
- Executes dropped EXE
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ProtonVPNs.exe
MD5
bbdfa1d6790c663a569fc5b8dfecf810

SHA1
2191504f2a05f6b17b9476c4c7e005f8d3618f3a

SHA256
21feafefb5eff856a47945000c079d7c8954caf877b03a31b34ea9a546da3d33

SHA512
9f7e16d3bb3244557f0b2c826c18dabf199a81aff7b70b3d4bd1aa9d3e7a79a4bab1cb2c0c731744fcf2e1b24c56c48d1e90b13c8cbd2f9a453d5f7e0366fdea

Download Submit
C:\ProgramData\ProtonVPNs.exe
MD5
bbdfa1d6790c663a569fc5b8dfecf810

SHA1
2191504f2a05f6b17b9476c4c7e005f8d3618f3a

SHA256
21feafefb5eff856a47945000c079d7c8954caf877b03a31b34ea9a546da3d33

SHA512
9f7e16d3bb3244557f0b2c826c18dabf199a81aff7b70b3d4bd1aa9d3e7a79a4bab1cb2c0c731744fcf2e1b24c56c48d1e90b13c8cbd2f9a453d5f7e0366fdea

Download Submit
C:\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
C:\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
C:\ProgramData\_7zipd.exe
MD5
c007d22f751661403db37a7062cc0acc

SHA1
156d48130171e2013f83560e4a78f05dc0eb5a14

SHA256
471e67a4a80c2fcf8d06e4519a99bde626c886768916cf5046faa901002892d7

SHA512
be66365bcedf1a6d033f83804d81c50094fb96e4f2390fa45e2b2a6c2fb8887810d03af8dd7e9ee0718f8a54831de4844a68b95d85cd111cf84708608cda6b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7zip.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\_7zipd.exe.log
MD5
4a30a8132195c1aa1a62b78676b178d9

SHA1
506e6d99a2ba08c9d3553af30daaaa0fc46ae4be

SHA256
71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20

SHA512
3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remove.bat
MD5
aa5f6a4940898fad87b5c5ca4897d554

SHA1
6a217ccd48b44c55e743031be5bdd44c0cac8a7b

SHA256
be5a0877f129f752ebb2c0d8e598864a4ee7f220a87bd751e89fc2004b06b48f

SHA512
9c4b41f8654e7c656a2616ec1e2888f3fe4b8c35ac842aabf130881d4e4980154ef5ca75e7532714af5b8cbd588fe48e022e81af54c0ef03921e2c7229a24f3b

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
C:\Users\Admin\Downloads\7zip.exe
MD5
b21336f35129415d339f0a8f2fc190f5

SHA1
2ee98527e54dbb943f3f34046f66fbcc134be056

SHA256
b3aaccdc1085c2345fa97dee0864226062342c0f746ef0b91cd885f173ea572a

SHA512
0832bd4f73fbd302d5500aaf10f7ba2651e30547cc0a9bbd898f4ecfa9ee2480922809c95457cbd3382c7e075585ae069d2ea84b042066df69bad2e5c25e304e

Download Submit
memory/188-26-0x00000000004067BA-mapping.dmp

Download
memory/188-32-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/188-29-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/188-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/412-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/412-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2192-13-0x00007FF803030000-0x00007FF803A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-17-0x0000028395210000-0x0000028395211000-memory.dmp

Filesize
4KB

Download
memory/2192-9-0x0000000000000000-mapping.dmp

Download
memory/2200-52-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2200-53-0x000000000041FF7A-mapping.dmp

Download
memory/2200-72-0x00000000032C1000-0x00000000032C2000-memory.dmp

Filesize
4KB

Download
memory/2200-71-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/2200-68-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/2200-67-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/2200-66-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/2200-65-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/2200-64-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/2200-63-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/2200-62-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/2200-60-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2200-56-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-38-0x0000000000000000-mapping.dmp

Download
memory/2548-45-0x0000000000000000-mapping.dmp

Download
memory/3628-16-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3628-19-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3628-22-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/3628-15-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/3628-11-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/3628-21-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3628-8-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/3628-5-0x0000000000000000-mapping.dmp

Download
memory/3628-20-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3628-23-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/3628-24-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/3908-48-0x0000000000000000-mapping.dmp

Download
memory/4084-39-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4084-37-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/4084-49-0x0000000005200000-0x000000000520B000-memory.dmp

Filesize
44KB

Download
memory/4084-50-0x0000000006BA0000-0x0000000006BE8000-memory.dmp

Filesize
288KB

Download
memory/4084-34-0x0000000000000000-mapping.dmp

Download
memory/4084-46-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4084-47-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download