redline | 1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445

Analysis

max time kernel
150s
max time network
92s
platform
windows7_x64
resource
win7v20201028
submitted
22-03-2021 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clr3.exe
Size

1.1MB
MD5

b2c1396260a5bf7289fbd08cdb3cc96d
SHA1

349ead630fb0f7f12fae208b573a255f12095ed1
SHA256

1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
SHA512

23f9135d969bfae5ade2ac4eb1cc4597ad646fcaa814f737422eb6479ef030fc9e19591dc0595684c853104d7b7ada0f0460f8f69067f47e6f09c16e2a665c46

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

srvs.exeswnetwork.exesrvs.tmp

pid process

1084 srvs.exe
328 swnetwork.exe
1620 srvs.tmp
Loads dropped DLL 3 IoCs

Processes:

clr3.exesrvs.exe

pid process

1552 clr3.exe
1552 clr3.exe
1084 srvs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

clr3.exe

description pid process target process

PID 1944 set thread context of 1552 1944 clr3.exe clr3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1828 timeout.exe

pid	process
1084	srvs.exe
328	swnetwork.exe
1620	srvs.tmp

pid	process
1552	clr3.exe
1552	clr3.exe
1084	srvs.exe

description	pid	process	target process
PID 1944 set thread context of 1552	1944	clr3.exe	clr3.exe

pid	process
1828	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

clr3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	clr3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	clr3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	clr3.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

clr3.exesrvs.tmpswnetwork.exe

pid process

1552 clr3.exe
1552 clr3.exe
1620 srvs.tmp
1620 srvs.tmp
328 swnetwork.exe
328 swnetwork.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

clr3.exeswnetwork.exe

description pid process

Token: SeDebugPrivilege 1552 clr3.exe
Token: SeDebugPrivilege 328 swnetwork.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

srvs.tmp

pid process

1620 srvs.tmp

pid	process
1552	clr3.exe
1552	clr3.exe
1620	srvs.tmp
1620	srvs.tmp
328	swnetwork.exe
328	swnetwork.exe

description	pid	process
Token: SeDebugPrivilege	1552	clr3.exe
Token: SeDebugPrivilege	328	swnetwork.exe

pid	process
1620	srvs.tmp

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

clr3.execlr3.exesrvs.exesrvs.tmpcmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1944 wrote to memory of 1552	1944	clr3.exe	clr3.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 1084	1552	clr3.exe	srvs.exe
PID 1552 wrote to memory of 328	1552	clr3.exe	swnetwork.exe
PID 1552 wrote to memory of 328	1552	clr3.exe	swnetwork.exe
PID 1552 wrote to memory of 328	1552	clr3.exe	swnetwork.exe
PID 1552 wrote to memory of 328	1552	clr3.exe	swnetwork.exe
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1084 wrote to memory of 1620	1084	srvs.exe	srvs.tmp
PID 1620 wrote to memory of 1748	1620	srvs.tmp	cmd.exe
PID 1620 wrote to memory of 1748	1620	srvs.tmp	cmd.exe
PID 1620 wrote to memory of 1748	1620	srvs.tmp	cmd.exe
PID 1620 wrote to memory of 1748	1620	srvs.tmp	cmd.exe
PID 1748 wrote to memory of 1828	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1828	1748	cmd.exe	timeout.exe
PID 1748 wrote to memory of 1828	1748	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\clr3.exe
"C:\Users\Admin\AppData\Local\Temp\clr3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\clr3.exe
"{path}"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\srvs.exe
"C:\Users\Admin\AppData\Local\Temp\srvs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\is-16J1L.tmp\srvs.tmp
"C:\Users\Admin\AppData\Local\Temp\is-16J1L.tmp\srvs.tmp" /SL5="$40154,9285237,79360,C:\Users\Admin\AppData\Local\Temp\srvs.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\ProgramData\uacwev.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\timeout.exe
TIMEOUT /T 8
6⤵
- Delays execution with timeout.exe
PID:1828

C:\Users\Admin\AppData\Local\Temp\swnetwork.exe
"C:\Users\Admin\AppData\Local\Temp\swnetwork.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pass.exe

MD5
fe66a84c175bcd25b2a6221fa3c74976

SHA1
69745ac398f3cbbb61fa253625faff2c5e7defe0

SHA256
2984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c

SHA512
654842bb119f67163332887d9fe8e7f84ad24b1f3077acc49e830bec095b4fa7cac1d4d3168e626f5cadad3d6e5696cbac4d2700f7af2396a6c130e4c28f0c36

Download Submit
C:\ProgramData\uacwev.bat

MD5
ace1a6c2ea9446d1bd4b645d00bc2c46

SHA1
a9c41e189775db5a507785c1c527ff9fb7a07bd6

SHA256
2b875f4d5f0722425969fd5963fa0276a101ce63ddb91e5960f2860ab0aedbf4

SHA512
1fba8400d354a46fe3e1b19f8a4d817df1ef4c1289d42a8a2257af45838b6b468a0632b9f31239fc45de11771aa9d9fb0b803a6cda359b14c24fb05f71bddbb2

Download Submit
C:\ProgramData\uxtheme.dll

MD5
ab2dfff902a3396c2d829fc5f47d0f96

SHA1
8c89f1d3080419a23fc83d999d711923fd3d4c09

SHA256
7c7c1ab434c6d26365624712c833374ed1dee19f548b3386e64972bdda925694

SHA512
369ed24927506980e1c72d5476bcf98c8ec87b13d755fb301312ceb2d187993a06de8361dd6ed11dea34302f8703378815c94bd416448a1ce49bb3457ce2b0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16J1L.tmp\srvs.tmp

MD5
025b645d99b2eed57b669c7287d24c9e

SHA1
6883b676e66a277f43cb4d2eca130c6c47cfed51

SHA256
3acef212e738893efc7451c2a7c321ab0f48352b76c46bd6a14b5aeb054453a0

SHA512
6db459efe993f1321264168c262fe47a6b91ac2567ab0e417af361ecf2d911e47955478790591846b1840f92013536b5538c0cc528cec99782164f49ee00ba5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\srvs.exe

MD5
79143f8bb899f89ad0a244017e4934dd

SHA1
ac491a1e24185677ac59eb1d937b990941e4acd9

SHA256
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56

SHA512
864972c955955114cf6df157c482bcb9a26b6b5179c549e4aebb25c41731b693a1eb9fb2f88b487ddf7a6421f31b7cfe80f516ca4f8db1d0655a6b587bae0b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\srvs.exe

MD5
79143f8bb899f89ad0a244017e4934dd

SHA1
ac491a1e24185677ac59eb1d937b990941e4acd9

SHA256
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56

SHA512
864972c955955114cf6df157c482bcb9a26b6b5179c549e4aebb25c41731b693a1eb9fb2f88b487ddf7a6421f31b7cfe80f516ca4f8db1d0655a6b587bae0b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\swnetwork.exe

MD5
3a7d2f1815f84f8f678af316d2475e34

SHA1
f13b3cfee8d1f65583a9dd7fc98362e105f19d8e

SHA256
848d04f917e919caaf01ce7d1210a92c8516f1df5832d7a78d72f9c3b9aa4973

SHA512
df1cd6b0423594b5b0794e6505dc858cd77b66aa10b5a810d780c1ae16ad000aa85045171b464f4deef4e2783b8c824c48208ba000fa3b3d18f4b57030530eb2

Download Submit
\Users\Admin\AppData\Local\Temp\is-16J1L.tmp\srvs.tmp

MD5
025b645d99b2eed57b669c7287d24c9e

SHA1
6883b676e66a277f43cb4d2eca130c6c47cfed51

SHA256
3acef212e738893efc7451c2a7c321ab0f48352b76c46bd6a14b5aeb054453a0

SHA512
6db459efe993f1321264168c262fe47a6b91ac2567ab0e417af361ecf2d911e47955478790591846b1840f92013536b5538c0cc528cec99782164f49ee00ba5e

Download Submit
\Users\Admin\AppData\Local\Temp\srvs.exe

MD5
79143f8bb899f89ad0a244017e4934dd

SHA1
ac491a1e24185677ac59eb1d937b990941e4acd9

SHA256
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56

SHA512
864972c955955114cf6df157c482bcb9a26b6b5179c549e4aebb25c41731b693a1eb9fb2f88b487ddf7a6421f31b7cfe80f516ca4f8db1d0655a6b587bae0b70

Download Submit
\Users\Admin\AppData\Local\Temp\swnetwork.exe

MD5
3a7d2f1815f84f8f678af316d2475e34

SHA1
f13b3cfee8d1f65583a9dd7fc98362e105f19d8e

SHA256
848d04f917e919caaf01ce7d1210a92c8516f1df5832d7a78d72f9c3b9aa4973

SHA512
df1cd6b0423594b5b0794e6505dc858cd77b66aa10b5a810d780c1ae16ad000aa85045171b464f4deef4e2783b8c824c48208ba000fa3b3d18f4b57030530eb2

Download Submit
memory/328-22-0x0000000000000000-mapping.dmp

Download
memory/328-35-0x00000000046E3000-0x00000000046E4000-memory.dmp

Filesize
4KB

Download
memory/328-41-0x00000000046E4000-0x00000000046E6000-memory.dmp

Filesize
8KB

Download
memory/328-27-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/328-30-0x0000000002120000-0x0000000002148000-memory.dmp

Filesize
160KB

Download
memory/328-34-0x00000000046E2000-0x00000000046E3000-memory.dmp

Filesize
4KB

Download
memory/328-31-0x0000000002150000-0x0000000002177000-memory.dmp

Filesize
156KB

Download
memory/328-25-0x0000000001E40000-0x0000000001E51000-memory.dmp

Filesize
68KB

Download
memory/328-33-0x00000000046E1000-0x00000000046E2000-memory.dmp

Filesize
4KB

Download
memory/1084-16-0x0000000000000000-mapping.dmp

Download
memory/1084-18-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1084-20-0x0000000000401000-0x000000000040E000-memory.dmp

Filesize
52KB

Download
memory/1552-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1552-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1552-14-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1552-10-0x000000000041E89A-mapping.dmp

Download
memory/1552-11-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-32-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1620-26-0x0000000000000000-mapping.dmp

Download
memory/1620-36-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1748-37-0x0000000000000000-mapping.dmp

Download
memory/1828-40-0x0000000000000000-mapping.dmp

Download
memory/1944-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1944-8-0x00000000048D0000-0x000000000492D000-memory.dmp

Filesize
372KB

Download
memory/1944-7-0x0000000007F60000-0x0000000007FFB000-memory.dmp

Filesize
620KB

Download
memory/1944-6-0x00000000003B0000-0x00000000003B5000-memory.dmp

Filesize
20KB

Download
memory/1944-5-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1944-3-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download