redline | fc1c966dd0ac73c1e2aae4287b1480ba9d27d01accc069a9a69d2a4fc9f1a6a9

General

Target

965212c139d8c474ed69ff3c33b88be4.exe
Size

521KB
MD5

965212c139d8c474ed69ff3c33b88be4
SHA1

cce8ddf99da03113f80cd0e3e1368186468d904d
SHA256

fc1c966dd0ac73c1e2aae4287b1480ba9d27d01accc069a9a69d2a4fc9f1a6a9
SHA512

f9f37bbbacffcd4eed9ac7d4a66c9d5d0f0b0c85ec93e03712e1d238ace52f718beec08a5fc921b6a2d6d4084d1a4280258c188c514a6e0548ebde81afe9fd12

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

VersiumResearc.exeVersiumResearch.exeVersiumRes.exe

pid process

3220 VersiumResearc.exe
1496 VersiumResearch.exe
3588 VersiumRes.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3220	VersiumResearc.exe
1496	VersiumResearch.exe
3588	VersiumRes.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VersiumRes.exeVersiumResearc.exe

description	pid	process	target process
PID 3588 set thread context of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3220 set thread context of 3944	3220	VersiumResearc.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

VersiumResearch.exeAddInProcess32.exeAddInProcess32.exe

pid process

1496 VersiumResearch.exe
3052 AddInProcess32.exe
3944 AddInProcess32.exe

pid	process
1496	VersiumResearch.exe
3052	AddInProcess32.exe
3944	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

VersiumRes.exeVersiumResearch.exeAddInProcess32.exeVersiumResearc.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	3588	VersiumRes.exe
Token: SeDebugPrivilege	1496	VersiumResearch.exe
Token: SeDebugPrivilege	3052	AddInProcess32.exe
Token: SeDebugPrivilege	3220	VersiumResearc.exe
Token: SeDebugPrivilege	3944	AddInProcess32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

965212c139d8c474ed69ff3c33b88be4.exeVersiumRes.exeAddInProcess32.execmd.exeVersiumResearc.exe

description	pid	process	target process
PID 1276 wrote to memory of 3220	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumResearc.exe
PID 1276 wrote to memory of 3220	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumResearc.exe
PID 1276 wrote to memory of 3220	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumResearc.exe
PID 1276 wrote to memory of 1496	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumResearch.exe
PID 1276 wrote to memory of 1496	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumResearch.exe
PID 1276 wrote to memory of 1496	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumResearch.exe
PID 1276 wrote to memory of 3588	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumRes.exe
PID 1276 wrote to memory of 3588	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumRes.exe
PID 1276 wrote to memory of 3588	1276	965212c139d8c474ed69ff3c33b88be4.exe	VersiumRes.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3588 wrote to memory of 3052	3588	VersiumRes.exe	AddInProcess32.exe
PID 3052 wrote to memory of 2564	3052	AddInProcess32.exe	cmd.exe
PID 3052 wrote to memory of 2564	3052	AddInProcess32.exe	cmd.exe
PID 3052 wrote to memory of 2564	3052	AddInProcess32.exe	cmd.exe
PID 2564 wrote to memory of 2868	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2868	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 2868	2564	cmd.exe	reg.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe
PID 3220 wrote to memory of 3944	3220	VersiumResearc.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\965212c139d8c474ed69ff3c33b88be4.exe
"C:\Users\Admin\AppData\Local\Temp\965212c139d8c474ed69ff3c33b88be4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\VersiumResearc.exe
C:\Users\Admin\AppData\Local\Temp\VersiumResearc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Users\Admin\AppData\Local\Temp\VersiumResearch.exe
C:\Users\Admin\AppData\Local\Temp\VersiumResearch.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\AppData\Local\Temp\VersiumRes.exe
C:\Users\Admin\AppData\Local\Temp\VersiumRes.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\cmd.exe
"cmd" /C reg add HKEY_CURRENT_USER\Software\DataFinder\keycheck /v Status /t REG_DWORD /d 1 && reg add HKEY_CURRENT_USER\Software\DataFinder\VersiumResearch /v Status /t REG_DWORD /d 1
4⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\DataFinder\keycheck /v Status /t REG_DWORD /d 1
5⤵
PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

MD5
3375f93b9adc89753e8d23050bce6ca0

SHA1
9532d3600af4bd299e649e8dfd16896ba63fd27e

SHA256
dcea8294dccb23d9690c3f14ebe53b4ed0ee4da80171f238e9cf8160ac708295

SHA512
b4c65c9bb265992311707149cd2e285ae87eaabf179e046d2e38dd22901b84c1aa1ea94966d6f4eed31230f2869ccde47587ec65e92ca58d3a8b1f8358786a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VersiumRes.exe

MD5
7959ab8670c919f85a98c231079739c8

SHA1
251792b13b125bdec88fe59244864da038fb4a27

SHA256
1d4a8313f0e48235cd8df99469b602d049ed558d82fc1e283476600e4149a145

SHA512
ab123560fdf39be963882f75cc1434ada2d14486cc9e0e4be11dcf79b046e1a19ff26ff28fd4a3a46c11b7526d29eaded77a4cd7d7e713fea268f62dfcff0841

Download Submit
C:\Users\Admin\AppData\Local\Temp\VersiumRes.exe

MD5
7959ab8670c919f85a98c231079739c8

SHA1
251792b13b125bdec88fe59244864da038fb4a27

SHA256
1d4a8313f0e48235cd8df99469b602d049ed558d82fc1e283476600e4149a145

SHA512
ab123560fdf39be963882f75cc1434ada2d14486cc9e0e4be11dcf79b046e1a19ff26ff28fd4a3a46c11b7526d29eaded77a4cd7d7e713fea268f62dfcff0841

Download Submit
C:\Users\Admin\AppData\Local\Temp\VersiumResearc.exe

MD5
bda1efdad61372b0b12a4277e9558484

SHA1
dc9be4e90eaacbf08b4b04d71b5fe17cd752e6a6

SHA256
3a959095c9ef35d13c356c3236798cd6f4cdfab08bfddc618aa63875784ff3fc

SHA512
7b9e715627c6300075eeee8ec861e32ba96b855ce5857d7adb7518061cea5a48237b2cf886b5cfef88f40934f90656d8a64b7286dcb303ab44a4846c010edec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VersiumResearc.exe

MD5
bda1efdad61372b0b12a4277e9558484

SHA1
dc9be4e90eaacbf08b4b04d71b5fe17cd752e6a6

SHA256
3a959095c9ef35d13c356c3236798cd6f4cdfab08bfddc618aa63875784ff3fc

SHA512
7b9e715627c6300075eeee8ec861e32ba96b855ce5857d7adb7518061cea5a48237b2cf886b5cfef88f40934f90656d8a64b7286dcb303ab44a4846c010edec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VersiumResearch.exe

MD5
aedd7327b99ed5177d43ed7758f1ebff

SHA1
46137683ee73646c9aa05ed27b661ad2ecbe9c20

SHA256
0d6704a682e281399df401b4aac628f0ff16826b31e2c61df32919e77c55edf8

SHA512
68b35c614d38064fed6dbaf34a06063445fd4433b15776431ffefaaafda4ea29bbcdf427bd3a835287debc8dec447efb4443f19bded463b1230819928360a392

Download Submit
C:\Users\Admin\AppData\Local\Temp\VersiumResearch.exe

MD5
aedd7327b99ed5177d43ed7758f1ebff

SHA1
46137683ee73646c9aa05ed27b661ad2ecbe9c20

SHA256
0d6704a682e281399df401b4aac628f0ff16826b31e2c61df32919e77c55edf8

SHA512
68b35c614d38064fed6dbaf34a06063445fd4433b15776431ffefaaafda4ea29bbcdf427bd3a835287debc8dec447efb4443f19bded463b1230819928360a392

Download Submit
memory/1496-49-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/1496-53-0x0000000001921000-0x0000000001922000-memory.dmp

Filesize
4KB

Download
memory/1496-37-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1496-13-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-14-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1496-16-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1496-38-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/1496-19-0x0000000001920000-0x0000000001921000-memory.dmp

Filesize
4KB

Download
memory/1496-59-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/1496-10-0x0000000000000000-mapping.dmp

Download
memory/1496-52-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/1496-48-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/1496-41-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1496-40-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/1496-39-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/2564-61-0x0000000000000000-mapping.dmp

Download
memory/2868-62-0x0000000000000000-mapping.dmp

Download
memory/3052-35-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3052-30-0x000000000041E89E-mapping.dmp

Download
memory/3052-29-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3052-31-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3220-18-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/3220-5-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3220-63-0x0000000004330000-0x0000000004343000-memory.dmp

Filesize
76KB

Download
memory/3220-9-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3220-17-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/3220-6-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3220-2-0x0000000000000000-mapping.dmp

Download
memory/3220-8-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/3588-20-0x0000000000000000-mapping.dmp

Download
memory/3588-23-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3588-24-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3588-27-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3588-28-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3944-65-0x000000000041E89E-mapping.dmp

Download
memory/3944-67-0x0000000073D20000-0x000000007440E000-memory.dmp

Filesize
6.9MB

Download
memory/3944-71-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3944-76-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads