redline | 97f6f4bd2bc1104bbe4c1b3cfe8ac386e8b4a35f0c9d2b63bcee04afea965965

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7v20210410
submitted
06-07-2021 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210706-183043.exe
Size

1.4MB
MD5

97afea1db16077be6b8d3a57f9b7a037
SHA1

540610e535d1a0cfac3725fd4d49fc2894665cf8
SHA256

97f6f4bd2bc1104bbe4c1b3cfe8ac386e8b4a35f0c9d2b63bcee04afea965965
SHA512

5938a2236cc6ac61977a42c4547ecc6e9c20c5cca29cb3e114970f90b28fe0daced06ee70490a604a0dbcee01565d5f6b1b49bf518ddcada1a50f9cc107d3a27

Score

10^/10

redline 3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

185.215.113.46:61707

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1556-80-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline
behavioral1/memory/1556-85-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Tuoi.exe.comTuoi.exe.comRegAsm.exe

pid process

1524 Tuoi.exe.com
648 Tuoi.exe.com
1556 RegAsm.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeTuoi.exe.comTuoi.exe.comRegAsm.exe

pid process

1320 cmd.exe
1524 Tuoi.exe.com
648 Tuoi.exe.com
1556 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Tuoi.exe.com

description pid process target process

PID 648 set thread context of 1556 648 Tuoi.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1420 PING.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RegAsm.exe

pid process

1556 RegAsm.exe
1556 RegAsm.exe
1556 RegAsm.exe
1556 RegAsm.exe
1556 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1556 RegAsm.exe

pid	process
1524	Tuoi.exe.com
648	Tuoi.exe.com
1556	RegAsm.exe

pid	process
1320	cmd.exe
1524	Tuoi.exe.com
648	Tuoi.exe.com
1556	RegAsm.exe

description	pid	process	target process
PID 648 set thread context of 1556	648	Tuoi.exe.com	RegAsm.exe

pid	process
1420	PING.EXE

pid	process
1556	RegAsm.exe
1556	RegAsm.exe
1556	RegAsm.exe
1556	RegAsm.exe
1556	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1556	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

mixazed_20210706-183043.execmd.execmd.exeTuoi.exe.comTuoi.exe.com

description	pid	process	target process
PID 368 wrote to memory of 1720	368	mixazed_20210706-183043.exe	cmd.exe
PID 368 wrote to memory of 1720	368	mixazed_20210706-183043.exe	cmd.exe
PID 368 wrote to memory of 1720	368	mixazed_20210706-183043.exe	cmd.exe
PID 368 wrote to memory of 1720	368	mixazed_20210706-183043.exe	cmd.exe
PID 1720 wrote to memory of 1320	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1320	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1320	1720	cmd.exe	cmd.exe
PID 1720 wrote to memory of 1320	1720	cmd.exe	cmd.exe
PID 1320 wrote to memory of 1232	1320	cmd.exe	findstr.exe
PID 1320 wrote to memory of 1232	1320	cmd.exe	findstr.exe
PID 1320 wrote to memory of 1232	1320	cmd.exe	findstr.exe
PID 1320 wrote to memory of 1232	1320	cmd.exe	findstr.exe
PID 1320 wrote to memory of 1524	1320	cmd.exe	Tuoi.exe.com
PID 1320 wrote to memory of 1524	1320	cmd.exe	Tuoi.exe.com
PID 1320 wrote to memory of 1524	1320	cmd.exe	Tuoi.exe.com
PID 1320 wrote to memory of 1524	1320	cmd.exe	Tuoi.exe.com
PID 1320 wrote to memory of 1420	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 1420	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 1420	1320	cmd.exe	PING.EXE
PID 1320 wrote to memory of 1420	1320	cmd.exe	PING.EXE
PID 1524 wrote to memory of 648	1524	Tuoi.exe.com	Tuoi.exe.com
PID 1524 wrote to memory of 648	1524	Tuoi.exe.com	Tuoi.exe.com
PID 1524 wrote to memory of 648	1524	Tuoi.exe.com	Tuoi.exe.com
PID 1524 wrote to memory of 648	1524	Tuoi.exe.com	Tuoi.exe.com
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe
PID 648 wrote to memory of 1556	648	Tuoi.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\mixazed_20210706-183043.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210706-183043.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Via.pst
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tlSemPfKKHtYeILMlybXZRBSYbGlJvqJVEjBXzlIAbUyXeesdcOhdyxhJqrwptqgHxrnclOQUPvBXvUWcfUgHMzPlZSXdomcbFbDZDVyGX$" Uso.pst
4⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
Tuoi.exe.com T
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com T
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\T
MD5
bc72287b7396eb41ec437a2685e09c1d

SHA1
df0f741830a68d9fe1d8f2c157188026a7abbcef

SHA256
1496f40769731ea8bbe1af9d61e392caa702ab51c4694b30292910bea5b0be6b

SHA512
afd5d34df013e4a52f856b39586d3c0781a2b6e1bbffba175dde681c36dec76dd3ed8e87362610743d988db54f647e447be7e2f9d24c1d307ff20bc9684c48c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uccelli.pst
MD5
bc72287b7396eb41ec437a2685e09c1d

SHA1
df0f741830a68d9fe1d8f2c157188026a7abbcef

SHA256
1496f40769731ea8bbe1af9d61e392caa702ab51c4694b30292910bea5b0be6b

SHA512
afd5d34df013e4a52f856b39586d3c0781a2b6e1bbffba175dde681c36dec76dd3ed8e87362610743d988db54f647e447be7e2f9d24c1d307ff20bc9684c48c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Una.pst
MD5
8065184ab7c576641f725d0a9d39b0bc

SHA1
661a25cc092b92abe20bf2df865a93865d6fd7ef

SHA256
cd871114e9c04e2bcb9563226f97457c598f857cd28720d4a41ec3c565bceb65

SHA512
2baf87e133c4d6b467991b1f35b86b10f42aa7f2fcbc5a2ae2a34c240cfcafe40ad7059cb8cdb3527956b508648f43bf96ce1e5965be6a5c3572ceec56a1eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.pst
MD5
4d799a18d42780d24ad3211887dc69ed

SHA1
f870d1729622259270697ceea4d65f40238a6b6c

SHA256
d7e4b6c6698e01bad54bf7151993e0270659fa2dba89917017556ec14ac69cdb

SHA512
e01ac3b4d06fdfadca04bafd52c24c97bf0afb4124e69cf39f927c3d22d1c450a121d9fa20a6f5b78e2cf5fbe166568b0fe1b07c53d304d841724b84c42ad252

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Via.pst
MD5
9c02ba86f93e6c82ced11eb4e58ae3b9

SHA1
8d230295fa1743420766af8428ff3789c6e4022a

SHA256
ab37eb4611b1d38b4dc6628c6d2512585b443c34069e46482b8d3d4d8ae68de6

SHA512
50cce62b5e9e8a7c1035bb9d13e281303fec7bd7bb3858b62eec71a151431df0df167719cf3b36fe1f004de5c031089987655475ae6fcd153a166ea9ef11e093

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tuoi.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/368-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/648-79-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/648-74-0x0000000000000000-mapping.dmp

Download
memory/1232-63-0x0000000000000000-mapping.dmp

Download
memory/1320-62-0x0000000000000000-mapping.dmp

Download
memory/1420-69-0x0000000000000000-mapping.dmp

Download
memory/1524-67-0x0000000000000000-mapping.dmp

Download
memory/1556-80-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/1556-85-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/1556-87-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1720-60-0x0000000000000000-mapping.dmp

Download