redline | 3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020

Analysis

max time kernel
73s
max time network
75s
platform
windows7_x64
resource
win7v20210408
submitted
06-05-2021 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117E4E3F1B6EDAE6745F82CF072008F1.exe
Size

1.0MB
MD5

117e4e3f1b6edae6745f82cf072008f1
SHA1

62bcde8f6c592a4be16b0d0feeb5fa2df13b0619
SHA256

3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
SHA512

f7e5ee09daf8e52729feb9259457659f0575f6695842611c01e327b8e70d7a10bc9901662fecb28a1c8b35ac57e86bd92f4a93d4fcca203f24502255274223c1

Score

10^/10

redline 9874 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

9874

nshoreyle.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1160-79-0x0000000000090000-0x00000000000AC000-memory.dmp	family_redline
behavioral1/memory/1160-84-0x0000000000090000-0x00000000000AC000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Sta.exe.comSta.exe.comRegAsm.exe

pid process

1800 Sta.exe.com
400 Sta.exe.com
1160 RegAsm.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeSta.exe.comRegAsm.exe

pid process

108 cmd.exe
400 Sta.exe.com
1160 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sta.exe.com

description pid process target process

PID 400 set thread context of 1160 400 Sta.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1696 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

1160 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1160 RegAsm.exe

pid	process
1800	Sta.exe.com
400	Sta.exe.com
1160	RegAsm.exe

pid	process
108	cmd.exe
400	Sta.exe.com
1160	RegAsm.exe

description	pid	process	target process
PID 400 set thread context of 1160	400	Sta.exe.com	RegAsm.exe

pid	process
1696	PING.EXE

pid	process
1160	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1160	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

117E4E3F1B6EDAE6745F82CF072008F1.execmd.execmd.exeSta.exe.comSta.exe.com

description	pid	process	target process
PID 1840 wrote to memory of 620	1840	117E4E3F1B6EDAE6745F82CF072008F1.exe	cmd.exe
PID 1840 wrote to memory of 620	1840	117E4E3F1B6EDAE6745F82CF072008F1.exe	cmd.exe
PID 1840 wrote to memory of 620	1840	117E4E3F1B6EDAE6745F82CF072008F1.exe	cmd.exe
PID 1840 wrote to memory of 620	1840	117E4E3F1B6EDAE6745F82CF072008F1.exe	cmd.exe
PID 620 wrote to memory of 108	620	cmd.exe	cmd.exe
PID 620 wrote to memory of 108	620	cmd.exe	cmd.exe
PID 620 wrote to memory of 108	620	cmd.exe	cmd.exe
PID 620 wrote to memory of 108	620	cmd.exe	cmd.exe
PID 108 wrote to memory of 1620	108	cmd.exe	findstr.exe
PID 108 wrote to memory of 1620	108	cmd.exe	findstr.exe
PID 108 wrote to memory of 1620	108	cmd.exe	findstr.exe
PID 108 wrote to memory of 1620	108	cmd.exe	findstr.exe
PID 108 wrote to memory of 1800	108	cmd.exe	Sta.exe.com
PID 108 wrote to memory of 1800	108	cmd.exe	Sta.exe.com
PID 108 wrote to memory of 1800	108	cmd.exe	Sta.exe.com
PID 108 wrote to memory of 1800	108	cmd.exe	Sta.exe.com
PID 108 wrote to memory of 1696	108	cmd.exe	PING.EXE
PID 108 wrote to memory of 1696	108	cmd.exe	PING.EXE
PID 108 wrote to memory of 1696	108	cmd.exe	PING.EXE
PID 108 wrote to memory of 1696	108	cmd.exe	PING.EXE
PID 1800 wrote to memory of 400	1800	Sta.exe.com	Sta.exe.com
PID 1800 wrote to memory of 400	1800	Sta.exe.com	Sta.exe.com
PID 1800 wrote to memory of 400	1800	Sta.exe.com	Sta.exe.com
PID 1800 wrote to memory of 400	1800	Sta.exe.com	Sta.exe.com
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe
PID 400 wrote to memory of 1160	400	Sta.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe
"C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c OjTdveCmOYGkwPuVcKiZNQpZgITQtdpOakAXUzIiXgaubigrkVRWUyRXrTwOpLxnOSSPfoqweZenbeCixQFpnhThxCU & cmd < Dai.mp4
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^aUkEmTrtPLftfXTJGsUJbGeamVtEFfQQoaHhAtLwnlFklwqAGOsXaZfLRTyEPmnAVmVWfGoBFTljwRobUEYRXSbprWcHZikZLyfKutlqFQanPeKqKIJkAHDewMTzlACbHlBV$" Lancio.mp4
4⤵
PID:1620

C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com
Sta.exe.com x
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com x
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dai.mp4
MD5
0e56f66476f6e3a85190704a7e046982

SHA1
750712070aa3c7daf4b7a0b4c5e8af24f6f985d1

SHA256
1e20974b76c4bb90a87c81baa20c8c53884ae2aa785049a2746b3ba674abcfe6

SHA512
0e6a82d8418deae83fd0359ef528c2b1a40c8ea44b9e6a6a5800552b30ffb28c558f30b768bed19f4d093329ca3f0cd0bc35d7f2583a1215e3dc0be1206a31d8

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dov.mp4
MD5
e285cd820751c970d433c30be18f9b1f

SHA1
98f29b363800196529e365e2aaf9b19412b9a444

SHA256
9e41888516b60390bcfed7d9e5ebed0425e759472629741a766cc9f6071bd3e3

SHA512
938de25e5f6bf1a7d5eb3212232899eb38184104bea0d5205fa9bdbd3ed2e848a6b32816b865c14539af3461a9c8ea7ff61021a7b7dcd731026d43322133dee7

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Lancio.mp4
MD5
6766c39c9986df037b4a80c79cb6bb57

SHA1
dda7df5e57484eb7c9b976a0554e2dc720689d20

SHA256
b970d4b3e1a03fded470a637d2adcddff6c7e2b933241fa22c626d46dabc2c47

SHA512
824791e911cae758a437bcb32eb8389bd8963c4b5a53751bf5d8fb59fbb91dfbc5a3ddd796f5bae971099bd812c576a3620a9626727ce0cfe1db1f95e603eb1f

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Vedremo.mp4
MD5
f38303433bf6beb49dcde52b2f19af65

SHA1
6f71a3cc54e96cdc326f5f1e4677d19e1357a1c5

SHA256
ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e

SHA512
8092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a

Download Submit
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\x
MD5
f38303433bf6beb49dcde52b2f19af65

SHA1
6f71a3cc54e96cdc326f5f1e4677d19e1357a1c5

SHA256
ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e

SHA512
8092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a

Download Submit
\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/108-63-0x0000000000000000-mapping.dmp

Download
memory/400-78-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/400-73-0x0000000000000000-mapping.dmp

Download
memory/620-61-0x0000000000000000-mapping.dmp

Download
memory/1160-79-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1160-84-0x0000000000090000-0x00000000000AC000-memory.dmp

Filesize
112KB

Download
memory/1160-86-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1620-64-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1800-68-0x0000000000000000-mapping.dmp

Download
memory/1840-60-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download