redline | 5d5c572bd9c5a93783e2fbd7c551b54570ab531df2b7d1b93758453c4124db03

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7v20201028
submitted
13-03-2021 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lilal1.exe
Size

1.1MB
MD5

53491ccbc0a3cfea20af934cf4a460b4
SHA1

2208a9d51224806826e0c9648c486ddcf16e1ddb
SHA256

5d5c572bd9c5a93783e2fbd7c551b54570ab531df2b7d1b93758453c4124db03
SHA512

87be88c619f97dfbbebac622bd89fc3be278b7ff5b62a4ab96b4fdb1323d227c07ab274c41383bf95672c00a29230ecb19afb6a09b7b62087ef684860f2e561b

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-22-0x0000000000090000-0x00000000000B6000-memory.dmp	family_redline
behavioral1/memory/1380-28-0x0000000000090000-0x00000000000B6000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Tutte.exe.comTutte.exe.comRegAsm.exe

pid process

1456 Tutte.exe.com
804 Tutte.exe.com
1380 RegAsm.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeTutte.exe.comRegAsm.exe

pid process

1900 cmd.exe
804 Tutte.exe.com
1380 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Tutte.exe.com

description pid process target process

PID 804 set thread context of 1380 804 Tutte.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

564 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

1380 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1380 RegAsm.exe

pid	process
1456	Tutte.exe.com
804	Tutte.exe.com
1380	RegAsm.exe

pid	process
1900	cmd.exe
804	Tutte.exe.com
1380	RegAsm.exe

description	pid	process	target process
PID 804 set thread context of 1380	804	Tutte.exe.com	RegAsm.exe

pid	process
564	PING.EXE

pid	process
1380	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1380	RegAsm.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

lilal1.execmd.execmd.exeTutte.exe.comTutte.exe.com

description	pid	process	target process
PID 1100 wrote to memory of 1148	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1148	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1148	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1148	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1968	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1968	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1968	1100	lilal1.exe	cmd.exe
PID 1100 wrote to memory of 1968	1100	lilal1.exe	cmd.exe
PID 1968 wrote to memory of 1900	1968	cmd.exe	cmd.exe
PID 1968 wrote to memory of 1900	1968	cmd.exe	cmd.exe
PID 1968 wrote to memory of 1900	1968	cmd.exe	cmd.exe
PID 1968 wrote to memory of 1900	1968	cmd.exe	cmd.exe
PID 1900 wrote to memory of 1732	1900	cmd.exe	findstr.exe
PID 1900 wrote to memory of 1732	1900	cmd.exe	findstr.exe
PID 1900 wrote to memory of 1732	1900	cmd.exe	findstr.exe
PID 1900 wrote to memory of 1732	1900	cmd.exe	findstr.exe
PID 1900 wrote to memory of 1456	1900	cmd.exe	Tutte.exe.com
PID 1900 wrote to memory of 1456	1900	cmd.exe	Tutte.exe.com
PID 1900 wrote to memory of 1456	1900	cmd.exe	Tutte.exe.com
PID 1900 wrote to memory of 1456	1900	cmd.exe	Tutte.exe.com
PID 1900 wrote to memory of 564	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 564	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 564	1900	cmd.exe	PING.EXE
PID 1900 wrote to memory of 564	1900	cmd.exe	PING.EXE
PID 1456 wrote to memory of 804	1456	Tutte.exe.com	Tutte.exe.com
PID 1456 wrote to memory of 804	1456	Tutte.exe.com	Tutte.exe.com
PID 1456 wrote to memory of 804	1456	Tutte.exe.com	Tutte.exe.com
PID 1456 wrote to memory of 804	1456	Tutte.exe.com	Tutte.exe.com
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe
PID 804 wrote to memory of 1380	804	Tutte.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\lilal1.exe
"C:\Users\Admin\AppData\Local\Temp\lilal1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo ZbDljxuR
2⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Chi.pps
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^KOfqYXFXHXfiHgLIXiOAXifqprhOanReqPVmXdtCRQtPPPnMTPrxfhxDngQVKRFpyhuRzjLGrjJieAkxFAUCxbMNcswIAoSqkVKBIGaH$" Finita.vssm
4⤵
PID:1732

C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com
Tutte.exe.com r
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com r
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Chi.pps
MD5
033c4432ff8c726eb7f1cc3a124c4989

SHA1
85d7280535aab2a96b305059b7115d745a6a0ebc

SHA256
825f95a11df387d9c224b933b5c8967b73fb060d670b8d6dceb739b6af2876b4

SHA512
339b7b946599645a45432806cb4a3f683fda857574a7f95e1e2e49eb6d5ff5e93fb64f7fc0e30e0951a992c15542431aecd362c4b2a73e51048b4444a40dd613

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Cio.ppam
MD5
088a2a4d78d131b13b715daf00cfd1db

SHA1
b170d18f9c1cd7c14e9a8a81c577e10cce015be5

SHA256
3894afb0e8f6439193844427cd50964baa7842158a1d92ff6505e353af04cfb8

SHA512
f9d2c67947a3c84ea9b3daa71b7953ede6e3dfa60e6fdb0ae8d37bbf81096a9bf13613228f28c4176358b42471d514323527bfbccffbccbdcf9917391438c474

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Divina.vsdx
MD5
56b02f5af274593f325cdfd2901fa075

SHA1
e4c3ee39f5e80ea0101e04fd3efe5e977e2c5028

SHA256
130d72dd84d69e4e2fb30eeebaa16a1e671f30150b104a037b73ff7e51d0b89e

SHA512
88e3288a67bc08e6e157d3fff064b62ec02361d6b15e5369c27eb98bea23ce5037831140b8d55b2317d809465f7f538f33fe5a67dee60e161e020aa32546ace5

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Finita.vssm
MD5
786f54fce2646f09f5359c0f28f857a5

SHA1
87df3b25247ca51c55795452a9c75c379bbc99a6

SHA256
a22dcc3123e0a16499e01516b5a3152f92879775ad86be3beb1ae20c797ea739

SHA512
e408b0bdc2a080a29732471a81c19f2820c536a275933e49e699d7f53ef0c59a88a6ffad567eff5a5e56a0bd63dbf77c5bc013c6a936d4ea940c22f1764f5281

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\qZVHOWShJAtn\r
MD5
56b02f5af274593f325cdfd2901fa075

SHA1
e4c3ee39f5e80ea0101e04fd3efe5e977e2c5028

SHA256
130d72dd84d69e4e2fb30eeebaa16a1e671f30150b104a037b73ff7e51d0b89e

SHA512
88e3288a67bc08e6e157d3fff064b62ec02361d6b15e5369c27eb98bea23ce5037831140b8d55b2317d809465f7f538f33fe5a67dee60e161e020aa32546ace5

Download Submit
\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\qZVHOWShJAtn\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\qZVHOWShJAtn\Tutte.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/564-14-0x0000000000000000-mapping.dmp

Download
memory/804-16-0x0000000000000000-mapping.dmp

Download
memory/804-21-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1100-2-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1148-3-0x0000000000000000-mapping.dmp

Download
memory/1380-22-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1380-27-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/1380-28-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/1380-30-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1456-11-0x0000000000000000-mapping.dmp

Download
memory/1732-7-0x0000000000000000-mapping.dmp

Download
memory/1900-6-0x0000000000000000-mapping.dmp

Download
memory/1968-4-0x0000000000000000-mapping.dmp

Download