redline | 83b897270a955267f21de7462bdbe05910e48825ef79cc8ae142713f925fb802

Analysis

max time kernel
95s
max time network
95s
platform
windows7_x64
resource
win7v20210410
submitted
28-04-2021 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skipper.exe
Size

1.1MB
MD5

dba8101da0c11a3026fbd7278f28f977
SHA1

0f17ce1e24adfe2386e6e25c68100749e5d79dbb
SHA256

83b897270a955267f21de7462bdbe05910e48825ef79cc8ae142713f925fb802
SHA512

f912e8a79c3a0275b57fd2b652fc92ccd5c7595ef329331f14a0529c109d7e72482ef98929a539b89516a972b8b455484a56d1ca20c5ba5dcea3b49c699b3a21

Score

10^/10

redline 1414 euu infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

EUU

download3.info:80

Extracted

Family

redline

Botnet

1414

188.119.112.16:46409

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1664-69-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1664-70-0x00000000004171EE-mapping.dmp	family_redline
behavioral1/memory/1664-71-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1736-82-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1736-83-0x000000000042977E-mapping.dmp	family_redline
behavioral1/memory/1736-84-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

761647212.exe381717225.exe

pid process

296 761647212.exe
588 381717225.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1120 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

skipper.exe

pid process

1996 skipper.exe
1996 skipper.exe
1996 skipper.exe
1996 skipper.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
296	761647212.exe
588	381717225.exe

pid	process
1120	cmd.exe

pid	process
1996	skipper.exe
1996	skipper.exe
1996	skipper.exe
1996	skipper.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

761647212.exe381717225.exe

description	pid	process	target process
PID 296 set thread context of 1664	296	761647212.exe	AddInProcess32.exe
PID 588 set thread context of 1736	588	381717225.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

skipper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	skipper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	skipper.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1868 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AddInProcess32.exeAddInProcess32.exe

pid process

1664 AddInProcess32.exe
1664 AddInProcess32.exe
1736 AddInProcess32.exe
1736 AddInProcess32.exe

pid	process
1868	PING.EXE

pid	process
1664	AddInProcess32.exe
1664	AddInProcess32.exe
1736	AddInProcess32.exe
1736	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

761647212.exeAddInProcess32.exe381717225.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	296	761647212.exe
Token: SeDebugPrivilege	1664	AddInProcess32.exe
Token: SeDebugPrivilege	588	381717225.exe
Token: SeDebugPrivilege	1736	AddInProcess32.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

skipper.exe761647212.exe381717225.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 296	1996	skipper.exe	761647212.exe
PID 1996 wrote to memory of 296	1996	skipper.exe	761647212.exe
PID 1996 wrote to memory of 296	1996	skipper.exe	761647212.exe
PID 1996 wrote to memory of 296	1996	skipper.exe	761647212.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 296 wrote to memory of 1664	296	761647212.exe	AddInProcess32.exe
PID 1996 wrote to memory of 588	1996	skipper.exe	381717225.exe
PID 1996 wrote to memory of 588	1996	skipper.exe	381717225.exe
PID 1996 wrote to memory of 588	1996	skipper.exe	381717225.exe
PID 1996 wrote to memory of 588	1996	skipper.exe	381717225.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1944	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 588 wrote to memory of 1736	588	381717225.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1120	1996	skipper.exe	cmd.exe
PID 1996 wrote to memory of 1120	1996	skipper.exe	cmd.exe
PID 1996 wrote to memory of 1120	1996	skipper.exe	cmd.exe
PID 1996 wrote to memory of 1120	1996	skipper.exe	cmd.exe
PID 1120 wrote to memory of 1868	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 1868	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 1868	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 1868	1120	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\skipper.exe
"C:\Users\Admin\AppData\Local\Temp\skipper.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\761647212.exe
C:\Users\Admin\AppData\Local\Temp\761647212.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Local\Temp\381717225.exe
C:\Users\Admin\AppData\Local\Temp\381717225.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\skipper.exe & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\PING.EXE
ping 0
3⤵
- Runs ping.exe
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c5f5c1945050533213bb5e8e4761f386

SHA1
4ed24284e148697704d9a684628eeeeb881e8591

SHA256
df71712a0aa059f341d74b4228be7b31775773f2126735964bd624c383b70865

SHA512
0f1c9f22b9f3a734df1ce3c0677a8ffa2fe38d26c8adb76eb368528a36fecc534c70658dc4972c2126bab7ae7cf703ed4f752f4539120a91b20c86a6a63226d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\381717225.exe
MD5
cca6e302974f8ad2cf237cbb402f7db8

SHA1
82483651f9c152a2ccf0a7f6a348c14daf73ccfc

SHA256
12da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827

SHA512
cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\381717225.exe
MD5
cca6e302974f8ad2cf237cbb402f7db8

SHA1
82483651f9c152a2ccf0a7f6a348c14daf73ccfc

SHA256
12da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827

SHA512
cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\761647212.exe
MD5
d51901e3386120269c6b08fcaa3816e7

SHA1
6b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e

SHA256
afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a

SHA512
5639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\761647212.exe
MD5
d51901e3386120269c6b08fcaa3816e7

SHA1
6b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e

SHA256
afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a

SHA512
5639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5

Download Submit
\Users\Admin\AppData\Local\Temp\381717225.exe
MD5
cca6e302974f8ad2cf237cbb402f7db8

SHA1
82483651f9c152a2ccf0a7f6a348c14daf73ccfc

SHA256
12da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827

SHA512
cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87

Download Submit
\Users\Admin\AppData\Local\Temp\381717225.exe
MD5
cca6e302974f8ad2cf237cbb402f7db8

SHA1
82483651f9c152a2ccf0a7f6a348c14daf73ccfc

SHA256
12da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827

SHA512
cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87

Download Submit
\Users\Admin\AppData\Local\Temp\761647212.exe
MD5
d51901e3386120269c6b08fcaa3816e7

SHA1
6b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e

SHA256
afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a

SHA512
5639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5

Download Submit
\Users\Admin\AppData\Local\Temp\761647212.exe
MD5
d51901e3386120269c6b08fcaa3816e7

SHA1
6b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e

SHA256
afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a

SHA512
5639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5

Download Submit
memory/296-65-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/296-62-0x0000000000000000-mapping.dmp

Download
memory/296-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/588-81-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/588-75-0x0000000000000000-mapping.dmp

Download
memory/588-78-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1120-86-0x0000000000000000-mapping.dmp

Download
memory/1664-80-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1664-70-0x00000000004171EE-mapping.dmp

Download
memory/1664-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1736-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1736-83-0x000000000042977E-mapping.dmp

Download
memory/1736-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1736-88-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/1868-87-0x0000000000000000-mapping.dmp

Download
memory/1996-59-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download