redline | 9890b3cc84a7417c40435676f4e27e4a816143a4545a7c3cb75cc4b3819945e4

General

Target

cbb62490f144ce119dcbe5d1ef7f4ff6.exe
Size

1.1MB
MD5

cbb62490f144ce119dcbe5d1ef7f4ff6
SHA1

4a153e0057673011a7fdc38eed71f11fc9708e90
SHA256

9890b3cc84a7417c40435676f4e27e4a816143a4545a7c3cb75cc4b3819945e4
SHA512

203111d011c842400f8cd5cdf8b9ee2ffabe7ef162535db1385f97843675b25400b52811d7d199cf2737148625b106f85b5ba6dc5244f394c55caf86bec77282

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 2 IoCs

Processes:

tempfl.exeCL_Debug_Log.txt

pid process

2120 tempfl.exe
3840 CL_Debug_Log.txt
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2120	tempfl.exe
3840	CL_Debug_Log.txt

autoit_exe 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tempfl.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\tempfl.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\32.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\64.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1004 schtasks.exe
NTFS ADS 1 IoCs

Processes:

tempfl.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\GFBFPSXA\root\CIMV2 tempfl.exe

pid	process
1004	schtasks.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\GFBFPSXA\root\CIMV2	tempfl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cbb62490f144ce119dcbe5d1ef7f4ff6.exetempfl.exe

pid	process
624	cbb62490f144ce119dcbe5d1ef7f4ff6.exe
624	cbb62490f144ce119dcbe5d1ef7f4ff6.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

cbb62490f144ce119dcbe5d1ef7f4ff6.exeCL_Debug_Log.txt

description	pid	process
Token: SeDebugPrivilege	624	cbb62490f144ce119dcbe5d1ef7f4ff6.exe
Token: SeRestorePrivilege	3840	CL_Debug_Log.txt
Token: 35	3840	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3840	CL_Debug_Log.txt
Token: SeSecurityPrivilege	3840	CL_Debug_Log.txt

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

tempfl.exe

pid process

2120 tempfl.exe
2120 tempfl.exe
2120 tempfl.exe
2120 tempfl.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

tempfl.exe

pid process

2120 tempfl.exe
2120 tempfl.exe
2120 tempfl.exe
2120 tempfl.exe

pid	process
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe

pid	process
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe
2120	tempfl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cbb62490f144ce119dcbe5d1ef7f4ff6.exetempfl.execmd.exe

description	pid	process	target process
PID 624 wrote to memory of 2120	624	cbb62490f144ce119dcbe5d1ef7f4ff6.exe	tempfl.exe
PID 624 wrote to memory of 2120	624	cbb62490f144ce119dcbe5d1ef7f4ff6.exe	tempfl.exe
PID 624 wrote to memory of 2120	624	cbb62490f144ce119dcbe5d1ef7f4ff6.exe	tempfl.exe
PID 2120 wrote to memory of 3840	2120	tempfl.exe	CL_Debug_Log.txt
PID 2120 wrote to memory of 3840	2120	tempfl.exe	CL_Debug_Log.txt
PID 2120 wrote to memory of 3840	2120	tempfl.exe	CL_Debug_Log.txt
PID 2120 wrote to memory of 3140	2120	tempfl.exe	cmd.exe
PID 2120 wrote to memory of 3140	2120	tempfl.exe	cmd.exe
PID 2120 wrote to memory of 3140	2120	tempfl.exe	cmd.exe
PID 3140 wrote to memory of 1004	3140	cmd.exe	schtasks.exe
PID 3140 wrote to memory of 1004	3140	cmd.exe	schtasks.exe
PID 3140 wrote to memory of 1004	3140	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cbb62490f144ce119dcbe5d1ef7f4ff6.exe
"C:\Users\Admin\AppData\Local\Temp\cbb62490f144ce119dcbe5d1ef7f4ff6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\tempfl.exe
"C:\Users\Admin\AppData\Local\Temp\tempfl.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
4⤵
- Creates scheduled task(s)
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe
MD5
be7e0a04a98992393ed7d9001b26ce7e

SHA1
70803643140ae2e6dfb11788a435aa5213061819

SHA256
61b8fe15a0ac98a6011d592d19a5a1f3e90583159b0025d01c734a3e3646738d

SHA512
ae4d2a87b57b8ea3b64cc1af45677893008557ff622098e6371762e5be2494b1418ad9f07c233a65df20aefdb53e2b3d1cff429b1844a7ed266886900f78c9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe
MD5
4561b398282ef899552a80a28a943803

SHA1
a44ff5522fe7c7cee5d8dd473a9e5207d9363866

SHA256
eac46338f5978c42aaed22378f36c99184cfba6bee27bb6806db22efcd81d1e8

SHA512
573798c5316d75d4384608c9bf40a494233a3b516d70ec3677fa8187d514a65a68d6154d2de2db6277c20ba1aebad8a737734d263fe7ce92af873ad639be5743

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt
MD5
a66d45cb4996918c5592a4f7d41cc1a3

SHA1
21ea8e6abce0613eda4cc6e69d8f436d972500c2

SHA256
c808b768710386a679e711f11af8b1813ec1fe354d221cd1032555191dc08555

SHA512
8ee234256f611397fda2776bf42d142ea002ebc913ec8fbba8a2aa029ee65d1c28c687095d63a34cf56b40b7308a8474d82683c836991aade33cb4b5b4bb0b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml
MD5
ed8adc90f2e04d496f18c24e72a91392

SHA1
4cc10c39e9d9ae112301b1dedbdae81dac7c8377

SHA256
2ca2030406125497e931a57dcd97d91d91c841fad7c8802997edd7a808df9a1c

SHA512
111aada5a535b7f57be344b2e56db85fb0fe92174b79381befa648aadd99ca5bbc21ac585da7fba9b552723c38a3d9e56b67c0470ff1563a9915dc3c0ab44f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempfl.exe
MD5
12e441a02e461181c6a0155fd4f21ffc

SHA1
fb17ae09d164babf8f1aa457217fcc5e5d57b3ce

SHA256
63b21907d882f0d391145a8deb582b163527cf9b17a44704678a0897cd1eb632

SHA512
e0c29ff95dcf5caa697395dd82cfa766931c64158871f4080f960b90da712043a23bcd160c9c2bcd6c94b5a7ea9dbdbbcba31f0a36ab1a2fc6995eae62d1e1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempfl.exe
MD5
12e441a02e461181c6a0155fd4f21ffc

SHA1
fb17ae09d164babf8f1aa457217fcc5e5d57b3ce

SHA256
63b21907d882f0d391145a8deb582b163527cf9b17a44704678a0897cd1eb632

SHA512
e0c29ff95dcf5caa697395dd82cfa766931c64158871f4080f960b90da712043a23bcd160c9c2bcd6c94b5a7ea9dbdbbcba31f0a36ab1a2fc6995eae62d1e1cc

Download Submit
memory/624-125-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/624-126-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/624-116-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/624-121-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/624-120-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/624-117-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/624-119-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/624-124-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/624-123-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/624-122-0x00000000066E0000-0x00000000066E1000-memory.dmp

Filesize
4KB

Download
memory/624-118-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1004-139-0x0000000000000000-mapping.dmp

Download
memory/2120-135-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/2120-127-0x0000000000000000-mapping.dmp

Download
memory/3140-134-0x0000000000000000-mapping.dmp

Download
memory/3840-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads