redline | d47a34d18de0c08fa32f88fabb0123de6521b20f21a955f050c019a89360acb8

Analysis

max time kernel
1579s
max time network
1580s
platform
windows7_x64
resource
win7v20210410
submitted
21-04-2021 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trainer v5.1.3.exe
Size

1.5MB
MD5

d411460e9cf04cd64bdc25345bc9783b
SHA1

3374f053e1b9d40558c65bd363a3bae336a76cc8
SHA256

d47a34d18de0c08fa32f88fabb0123de6521b20f21a955f050c019a89360acb8
SHA512

8b8b8b9054daedd9f39682ab3d44f757f28085e028e4b666bca17a997e61c48b52cadbfefb851da0b4b4d2979ecd399f55e74bc0c9dd29b44cc26022fb26bd07

Score

10^/10

redline studio product discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Studio Product

93.114.128.190:49966

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral5/memory/540-80-0x0000000000130000-0x00000000001A6000-memory.dmp	family_redline
behavioral5/memory/540-85-0x0000000000130000-0x00000000001A6000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Gioco.exe.comGioco.exe.comRegAsm.exe

pid process

1800 Gioco.exe.com
1740 Gioco.exe.com
540 RegAsm.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeGioco.exe.comRegAsm.exe

pid process

1852 cmd.exe
1740 Gioco.exe.com
540 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Gioco.exe.com

description pid process target process

PID 1740 set thread context of 540 1740 Gioco.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1660 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

540 RegAsm.exe
540 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 540 RegAsm.exe

pid	process
1800	Gioco.exe.com
1740	Gioco.exe.com
540	RegAsm.exe

pid	process
1852	cmd.exe
1740	Gioco.exe.com
540	RegAsm.exe

description	pid	process	target process
PID 1740 set thread context of 540	1740	Gioco.exe.com	RegAsm.exe

pid	process
1660	PING.EXE

pid	process
540	RegAsm.exe
540	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	540	RegAsm.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

trainer v5.1.3.execmd.execmd.exeGioco.exe.comGioco.exe.com

description	pid	process	target process
PID 1072 wrote to memory of 1264	1072	trainer v5.1.3.exe	makecab.exe
PID 1072 wrote to memory of 1264	1072	trainer v5.1.3.exe	makecab.exe
PID 1072 wrote to memory of 1264	1072	trainer v5.1.3.exe	makecab.exe
PID 1072 wrote to memory of 1264	1072	trainer v5.1.3.exe	makecab.exe
PID 1072 wrote to memory of 1724	1072	trainer v5.1.3.exe	cmd.exe
PID 1072 wrote to memory of 1724	1072	trainer v5.1.3.exe	cmd.exe
PID 1072 wrote to memory of 1724	1072	trainer v5.1.3.exe	cmd.exe
PID 1072 wrote to memory of 1724	1072	trainer v5.1.3.exe	cmd.exe
PID 1724 wrote to memory of 1852	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1852	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1852	1724	cmd.exe	cmd.exe
PID 1724 wrote to memory of 1852	1724	cmd.exe	cmd.exe
PID 1852 wrote to memory of 744	1852	cmd.exe	findstr.exe
PID 1852 wrote to memory of 744	1852	cmd.exe	findstr.exe
PID 1852 wrote to memory of 744	1852	cmd.exe	findstr.exe
PID 1852 wrote to memory of 744	1852	cmd.exe	findstr.exe
PID 1852 wrote to memory of 1800	1852	cmd.exe	Gioco.exe.com
PID 1852 wrote to memory of 1800	1852	cmd.exe	Gioco.exe.com
PID 1852 wrote to memory of 1800	1852	cmd.exe	Gioco.exe.com
PID 1852 wrote to memory of 1800	1852	cmd.exe	Gioco.exe.com
PID 1852 wrote to memory of 1660	1852	cmd.exe	PING.EXE
PID 1852 wrote to memory of 1660	1852	cmd.exe	PING.EXE
PID 1852 wrote to memory of 1660	1852	cmd.exe	PING.EXE
PID 1852 wrote to memory of 1660	1852	cmd.exe	PING.EXE
PID 1800 wrote to memory of 1740	1800	Gioco.exe.com	Gioco.exe.com
PID 1800 wrote to memory of 1740	1800	Gioco.exe.com	Gioco.exe.com
PID 1800 wrote to memory of 1740	1800	Gioco.exe.com	Gioco.exe.com
PID 1800 wrote to memory of 1740	1800	Gioco.exe.com	Gioco.exe.com
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe
PID 1740 wrote to memory of 540	1740	Gioco.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\trainer v5.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\trainer v5.1.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\makecab.exe
"C:\Windows\System32\makecab.exe"
2⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c JkufaXUkEbtZKZPMlStRRa & cmd < Miniato.mov
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vvXPvIZBSPsLqkjJdLToMnnequtyvTHFhPngzExHHmCWDLLeyacGhGzXYUOdETyZoLnkMYdMsjAjWBmfxwqrbws$" Sembri.mov
4⤵
PID:744

C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com
Gioco.exe.com D
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com D
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Appare.mov
MD5
eb756ee1e6ae2ea1e629ee55688da47f

SHA1
885730d556073dcfaefb4674051ca41629a12648

SHA256
7c15c0956b029e76c3be33e053cef48db61d77db560705491f020e9c1e901e36

SHA512
d8dc3e72ec991b4a25188e83d4a8ea94b2c8abb3346d45192bed084e90462a1d03953c5e674afb217cec846851095cd595f3d905c00429583e40d8342cbdc6e2

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\D
MD5
22f98d3d92047a62e6f142fd432bfece

SHA1
740f9220aaa2de9b5db7b8bb55cef0035a5c52d1

SHA256
e9cd04d181350d3590cbf53ff7d14b18448346a60e4584bd6877dc4749694f59

SHA512
fa107a98ca604c08d563cf497646b5efd53c781ca020abf67111567903700e23d53802c986db619b1fafb9794b55979cad6322a88150869f22fd92e8d1b9be70

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Miniato.mov
MD5
ae0b54f7a6a94dc4005a8faf4d192052

SHA1
605744bbd37c6506bcb68c71f0179fed6c3fae6f

SHA256
41b677624c7b9490f40c2640b81b6b039ca709d25e5edf5f444ac4fa3edd9058

SHA512
40da247000660104aa613c4a279102bd489cb3244270b3664ace5eeed20e87e74727d27440c30d2171308613f8f159f3a04bda2e0d62cc5f8ec52931c2f46cfa

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Riconosco.mov
MD5
22f98d3d92047a62e6f142fd432bfece

SHA1
740f9220aaa2de9b5db7b8bb55cef0035a5c52d1

SHA256
e9cd04d181350d3590cbf53ff7d14b18448346a60e4584bd6877dc4749694f59

SHA512
fa107a98ca604c08d563cf497646b5efd53c781ca020abf67111567903700e23d53802c986db619b1fafb9794b55979cad6322a88150869f22fd92e8d1b9be70

Download Submit
C:\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Sembri.mov
MD5
f04ed5a4b31423f610e9021bf8e1f5ac

SHA1
022e175fa951ecbf749d873563f6d26971fb5f3a

SHA256
ebf40e49ca0fc49d54cb132df4be0e40f256756a374fca3257434963bb4cc3b3

SHA512
e156e6cc1a6b2a604f87fbd250df9da410397305884c95a48f99a87f819fae2abdb3d5a3c1f83e3d57a1002f1374216873348713d8924dd7b324c17f1d2120b2

Download Submit
\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\Gioco.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\NtIxqCkVwfZWlMVQFPwNxvSAEdponmQRdealKDTIzCeJKeFqgwnwQFOdjiPJa\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/540-80-0x0000000000130000-0x00000000001A6000-memory.dmp

Filesize
472KB

Download
memory/540-85-0x0000000000130000-0x00000000001A6000-memory.dmp

Filesize
472KB

Download
memory/540-87-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/744-65-0x0000000000000000-mapping.dmp

Download
memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1264-61-0x0000000000000000-mapping.dmp

Download
memory/1660-72-0x0000000000000000-mapping.dmp

Download
memory/1724-62-0x0000000000000000-mapping.dmp

Download
memory/1740-74-0x0000000000000000-mapping.dmp

Download
memory/1740-79-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1852-64-0x0000000000000000-mapping.dmp

Download