redline | 3c3bee00c300584717e1c307e690d05ab1c6c98428d83ca0d4285fe24a9e1015

Analysis

max time kernel
121s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
31-03-2021 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Heur.17155.13989.exe
Size

1.6MB
MD5

3c2b4c4920ccbb7456ea0539e596948c
SHA1

948ad5579c0aef35050ec330ce954bc84cfe2559
SHA256

3c3bee00c300584717e1c307e690d05ab1c6c98428d83ca0d4285fe24a9e1015
SHA512

397cf6a365ea609bfbe47868009081dd13c1662b4de2580e86d46de4fc4ec64263d36cab77329c7142acf7c7ee151eae44f86a394d526d8907a9da0724a92322

Score

10^/10

redline 5kmaraafterbuild discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

5kmaraafterbuild

217.12.209.30:44444

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 1 IoCs

Processes:

svclip.exe

pid process

2436 svclip.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2436	svclip.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Heur.17155.13989.exesvclip.exe

description	pid	process	target process
PID 3300 set thread context of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 2436 set thread context of 2400	2436	svclip.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3416 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SecuriteInfo.com.Heur.17155.13989.exe

pid process

188 SecuriteInfo.com.Heur.17155.13989.exe

pid	process
3416	schtasks.exe

pid	process
188	SecuriteInfo.com.Heur.17155.13989.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Heur.17155.13989.exeSecuriteInfo.com.Heur.17155.13989.exesvclip.exe

description	pid	process
Token: SeDebugPrivilege	3300	SecuriteInfo.com.Heur.17155.13989.exe
Token: SeDebugPrivilege	188	SecuriteInfo.com.Heur.17155.13989.exe
Token: SeDebugPrivilege	2436	svclip.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SecuriteInfo.com.Heur.17155.13989.exeSecuriteInfo.com.Heur.17155.13989.exesvclip.exe

description	pid	process	target process
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 3300 wrote to memory of 188	3300	SecuriteInfo.com.Heur.17155.13989.exe	SecuriteInfo.com.Heur.17155.13989.exe
PID 188 wrote to memory of 2436	188	SecuriteInfo.com.Heur.17155.13989.exe	svclip.exe
PID 188 wrote to memory of 2436	188	SecuriteInfo.com.Heur.17155.13989.exe	svclip.exe
PID 188 wrote to memory of 2436	188	SecuriteInfo.com.Heur.17155.13989.exe	svclip.exe
PID 2436 wrote to memory of 3416	2436	svclip.exe	schtasks.exe
PID 2436 wrote to memory of 3416	2436	svclip.exe	schtasks.exe
PID 2436 wrote to memory of 3416	2436	svclip.exe	schtasks.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe
PID 2436 wrote to memory of 2400	2436	svclip.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.17155.13989.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.17155.13989.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.17155.13989.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Users\Admin\AppData\Local\Temp\svclip.exe
    "C:\Users\Admin\AppData\Local\Temp\svclip.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VFexOIUZszUQsS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA7E.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      4⤵
      PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Heur.17155.13989.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svclip.exe

MD5
56d7b785daabffb116707aeddaea4759

SHA1
de097b73aa102b0fb770a6eb966ba76f01ebd4fd

SHA256
f368e01fbba37ee10ab9a92e0aba1f68f7b92f7bc67a4670fcfb0d93f87be451

SHA512
98cc588528452f44a63e9345268436589816c9adb70e75972d236450809bbd6962610bad2f5bc10ea1514c8af138fb6f64061e9d11574104743a1310a1280331

Download Submit
C:\Users\Admin\AppData\Local\Temp\svclip.exe

MD5
56d7b785daabffb116707aeddaea4759

SHA1
de097b73aa102b0fb770a6eb966ba76f01ebd4fd

SHA256
f368e01fbba37ee10ab9a92e0aba1f68f7b92f7bc67a4670fcfb0d93f87be451

SHA512
98cc588528452f44a63e9345268436589816c9adb70e75972d236450809bbd6962610bad2f5bc10ea1514c8af138fb6f64061e9d11574104743a1310a1280331

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA7E.tmp

MD5
99da4b7d030844651907cfcf303f2d9d

SHA1
24bf686588ae203d1314d1f2ba839dbbba445ab9

SHA256
62cb8c434d6ebcad19f1d5a45a2062c875e3303069c1a615b894702c41159f8a

SHA512
b3e763647ab09cf591c83d76c1527e76ee3e080b6b70d002ad5c5ed9872a0084d50d2b077d61b1e78e45e2fbb69ff285b2cb8679a5998d5651106f27552b13c7

Download Submit
memory/188-29-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/188-16-0x000000000042979A-mapping.dmp

Download
memory/188-26-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/188-25-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/188-33-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/188-30-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/188-27-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/188-28-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/188-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/188-24-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/188-23-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/188-18-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/188-21-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/188-22-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2400-61-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/2400-53-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2400-55-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-54-0x000000000040403E-mapping.dmp

Download
memory/2436-38-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/2436-39-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2436-50-0x000000000AA20000-0x000000000AA72000-memory.dmp

Filesize
328KB

Download
memory/2436-49-0x00000000083A0000-0x0000000008443000-memory.dmp

Filesize
652KB

Download
memory/2436-46-0x0000000007BE0000-0x0000000007CC7000-memory.dmp

Filesize
924KB

Download
memory/2436-35-0x0000000000000000-mapping.dmp

Download
memory/2436-45-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2436-44-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3300-10-0x000000000B360000-0x000000000B3FE000-memory.dmp

Filesize
632KB

Download
memory/3300-2-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3300-9-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/3300-14-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/3300-11-0x0000000008050000-0x0000000008055000-memory.dmp

Filesize
20KB

Download
memory/3300-12-0x000000000B4A0000-0x000000000B4A1000-memory.dmp

Filesize
4KB

Download
memory/3300-13-0x000000000B540000-0x000000000B5EF000-memory.dmp

Filesize
700KB

Download
memory/3300-7-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/3300-8-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/3300-6-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3300-5-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/3300-3-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3416-51-0x0000000000000000-mapping.dmp

Download