redline | abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
11-03-2021 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
Size

256KB
MD5

8ca675896f6c9ad9fe8deb1cc63bf8f5
SHA1

59ce426a1d26cf3a5a8552da59263475bfded136
SHA256

abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
SHA512

d9225a3903610408d8dfb7447f8ca37a4dec05b1b86ad56c4c99e4f22087ab75a2283e827032ebf03735276601ba87827b303a52ca06c04908314bc16872babc

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1320-41-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1320-42-0x000000000041E1AA-mapping.dmp	family_redline
behavioral1/memory/1320-48-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

2041131341.exe1090905469.exeRegAsm.exe

pid process

1272 2041131341.exe
1520 1090905469.exe
1320 RegAsm.exe

pid	process
1272	2041131341.exe
1520	1090905469.exe
1320	RegAsm.exe

Loads dropped DLL 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe1090905469.exeRegAsm.exe

pid	process
1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
1520	1090905469.exe
1320	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1090905469.exe

description pid process target process

PID 1520 set thread context of 1320 1520 1090905469.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1520 set thread context of 1320	1520	1090905469.exe	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1090905469.exe

pid process

1520 1090905469.exe
1520 1090905469.exe

pid	process
1520	1090905469.exe
1520	1090905469.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe2041131341.exe1090905469.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
Token: SeDebugPrivilege	1272	2041131341.exe
Token: SeDebugPrivilege	1520	1090905469.exe
Token: SeDebugPrivilege	1320	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe1090905469.exe

description	pid	process	target process
PID 1680 wrote to memory of 1272	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 1680 wrote to memory of 1272	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 1680 wrote to memory of 1272	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 1680 wrote to memory of 1272	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1680 wrote to memory of 1520	1680	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe
PID 1520 wrote to memory of 1320	1520	1090905469.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\2041131341.exe
"C:\Users\Admin\AppData\Local\Temp\2041131341.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\AppData\Local\Temp\1090905469.exe
"C:\Users\Admin\AppData\Local\Temp\1090905469.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1090905469.exe
MD5
3ab5db8a82b6ca11f37100b4fa751c72

SHA1
a34ca15f4e9ce9364da1e3e2f12aac7ba45a12bc

SHA256
c0c68e99e32734375809943760576f5eb7f487360b58d311f1b4f7d6c8a0c6df

SHA512
c8d078a544353c7524877e8030dcb71f0e0ceb98daa9547ba592748731645e326a857b93f0d63571ace57ffcb9cd5216c88aba1651ff8d4ff01b62f0e535f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090905469.exe
MD5
3ab5db8a82b6ca11f37100b4fa751c72

SHA1
a34ca15f4e9ce9364da1e3e2f12aac7ba45a12bc

SHA256
c0c68e99e32734375809943760576f5eb7f487360b58d311f1b4f7d6c8a0c6df

SHA512
c8d078a544353c7524877e8030dcb71f0e0ceb98daa9547ba592748731645e326a857b93f0d63571ace57ffcb9cd5216c88aba1651ff8d4ff01b62f0e535f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2041131341.exe
MD5
526489ddbfd0d84e845ccd132cae5555

SHA1
a6a2b7c7d8e15ebc3918b212ca6952818fe8cf3a

SHA256
93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e

SHA512
fd4d0175487e06ac8ade388f5c7d43f80bc101cbfb2b2eeefb0b62be281e8eddc99a5a29124ca2bd0c4e25f649b9fe7b6154b7f86b392fadf3194d27651a7a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\1090905469.exe
MD5
3ab5db8a82b6ca11f37100b4fa751c72

SHA1
a34ca15f4e9ce9364da1e3e2f12aac7ba45a12bc

SHA256
c0c68e99e32734375809943760576f5eb7f487360b58d311f1b4f7d6c8a0c6df

SHA512
c8d078a544353c7524877e8030dcb71f0e0ceb98daa9547ba592748731645e326a857b93f0d63571ace57ffcb9cd5216c88aba1651ff8d4ff01b62f0e535f9eb

Download Submit
\Users\Admin\AppData\Local\Temp\2041131341.exe
MD5
526489ddbfd0d84e845ccd132cae5555

SHA1
a6a2b7c7d8e15ebc3918b212ca6952818fe8cf3a

SHA256
93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e

SHA512
fd4d0175487e06ac8ade388f5c7d43f80bc101cbfb2b2eeefb0b62be281e8eddc99a5a29124ca2bd0c4e25f649b9fe7b6154b7f86b392fadf3194d27651a7a64

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1272-23-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/1272-11-0x0000000000000000-mapping.dmp

Download
memory/1272-13-0x0000000001F20000-0x0000000001F31000-memory.dmp

Filesize
68KB

Download
memory/1272-14-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-15-0x00000000003E0000-0x00000000003ED000-memory.dmp

Filesize
52KB

Download
memory/1272-21-0x0000000001F00000-0x0000000001F0C000-memory.dmp

Filesize
48KB

Download
memory/1272-22-0x0000000004861000-0x0000000004862000-memory.dmp

Filesize
4KB

Download
memory/1272-24-0x0000000004863000-0x0000000004864000-memory.dmp

Filesize
4KB

Download
memory/1272-25-0x0000000004864000-0x0000000004866000-memory.dmp

Filesize
8KB

Download
memory/1320-41-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1320-42-0x000000000041E1AA-mapping.dmp

Download
memory/1320-48-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1320-50-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1320-47-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1320-45-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1520-38-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1520-31-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1520-34-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1520-36-0x0000000005FF0000-0x000000000601F000-memory.dmp

Filesize
188KB

Download
memory/1520-37-0x0000000000A90000-0x0000000000A9B000-memory.dmp

Filesize
44KB

Download
memory/1520-33-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1520-30-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1520-40-0x0000000004A81000-0x0000000004A82000-memory.dmp

Filesize
4KB

Download
memory/1520-27-0x0000000000000000-mapping.dmp

Download
memory/1680-9-0x0000000002014000-0x0000000002016000-memory.dmp

Filesize
8KB

Download
memory/1680-6-0x0000000002011000-0x0000000002012000-memory.dmp

Filesize
4KB

Download
memory/1680-8-0x0000000002013000-0x0000000002014000-memory.dmp

Filesize
4KB

Download
memory/1680-3-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-2-0x0000000001ED0000-0x0000000001EE1000-memory.dmp

Filesize
68KB

Download
memory/1680-5-0x0000000001FC0000-0x0000000001FC9000-memory.dmp

Filesize
36KB

Download
memory/1680-4-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/1680-7-0x0000000002012000-0x0000000002013000-memory.dmp

Filesize
4KB

Download