redline | 5d3c164a69533582e2fcaaf4d39165a1eeba9c63d1b4a81971e5f2f7ab19513a

Analysis

max time kernel
48s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
22-07-2021 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210722-085032.exe
Size

1.1MB
MD5

ff6f0a35a5c1198e8b0f72822acf90c0
SHA1

1a26b1307b1a9c4ca699eeffe316ca5ee696b4bd
SHA256

5d3c164a69533582e2fcaaf4d39165a1eeba9c63d1b4a81971e5f2f7ab19513a
SHA512

c1f4469570c7b2a899615a9099f5eecdc284d879d26b11ab599e76257c2c7e823c01d64fb864588ecd98ab2ef610cd3d34a2f4c2e1ccf2378bfdbe49568654b8

Score

10^/10

redline nerino 10k discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Nerino 10k

salanoajalio.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3256-131-0x0000000000420000-0x000000000043E000-memory.dmp	family_redline
behavioral2/memory/3256-140-0x00000000049F0000-0x0000000004FF6000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Riflettere.exe.comRiflettere.exe.comRegAsm.exe

pid process

3672 Riflettere.exe.com
3156 Riflettere.exe.com
3256 RegAsm.exe
Drops startup file 1 IoCs

Processes:

Riflettere.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sMPymSRdde.url Riflettere.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Riflettere.exe.com

description pid process target process

PID 3156 set thread context of 3256 3156 Riflettere.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3656 PING.EXE

pid	process
3672	Riflettere.exe.com
3156	Riflettere.exe.com
3256	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sMPymSRdde.url	Riflettere.exe.com

description	pid	process	target process
PID 3156 set thread context of 3256	3156	Riflettere.exe.com	RegAsm.exe

pid	process
3656	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Riflettere.exe.comRegAsm.exe

pid	process
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3156	Riflettere.exe.com
3256	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3256 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3256	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

mixazed_20210722-085032.execmd.execmd.exeRiflettere.exe.comRiflettere.exe.com

description	pid	process	target process
PID 4060 wrote to memory of 2420	4060	mixazed_20210722-085032.exe	cmd.exe
PID 4060 wrote to memory of 2420	4060	mixazed_20210722-085032.exe	cmd.exe
PID 4060 wrote to memory of 2420	4060	mixazed_20210722-085032.exe	cmd.exe
PID 2420 wrote to memory of 2880	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2880	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2880	2420	cmd.exe	cmd.exe
PID 2880 wrote to memory of 2888	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 2888	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 2888	2880	cmd.exe	findstr.exe
PID 2880 wrote to memory of 3672	2880	cmd.exe	Riflettere.exe.com
PID 2880 wrote to memory of 3672	2880	cmd.exe	Riflettere.exe.com
PID 2880 wrote to memory of 3672	2880	cmd.exe	Riflettere.exe.com
PID 2880 wrote to memory of 3656	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 3656	2880	cmd.exe	PING.EXE
PID 2880 wrote to memory of 3656	2880	cmd.exe	PING.EXE
PID 3672 wrote to memory of 3156	3672	Riflettere.exe.com	Riflettere.exe.com
PID 3672 wrote to memory of 3156	3672	Riflettere.exe.com	Riflettere.exe.com
PID 3672 wrote to memory of 3156	3672	Riflettere.exe.com	Riflettere.exe.com
PID 3156 wrote to memory of 3256	3156	Riflettere.exe.com	RegAsm.exe
PID 3156 wrote to memory of 3256	3156	Riflettere.exe.com	RegAsm.exe
PID 3156 wrote to memory of 3256	3156	Riflettere.exe.com	RegAsm.exe
PID 3156 wrote to memory of 3256	3156	Riflettere.exe.com	RegAsm.exe
PID 4060 wrote to memory of 2840	4060	mixazed_20210722-085032.exe	cmd.exe
PID 4060 wrote to memory of 2840	4060	mixazed_20210722-085032.exe	cmd.exe
PID 4060 wrote to memory of 2840	4060	mixazed_20210722-085032.exe	cmd.exe
PID 3156 wrote to memory of 3256	3156	Riflettere.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\mixazed_20210722-085032.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210722-085032.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Turbamento.vstm
2⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hNdVJZVWpvpxZESWIqQkxENNmvhdviIwPmhAAYtASQCtHpazVhBEhjrIZCvjLFmeNiFmsacJWdzDeJufrUcpGrODcFAXCROhdAdAETeDRSHXSmGf$" Dall.vstm
4⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com
Riflettere.exe.com e
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com e
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
MD5
57db6339bf01bb586eb9df30a4b2c5cd

SHA1
9423ef97b4ec1d231a06b85deaf7ed6c732f7677

SHA256
37fbea0447bf4aba5e2b0b2c3ab59fe99b2c4dbfe3dc12a6904d8658fba143da

SHA512
530b25f920e682c99c93f4ae2b8fb8c0dc30539c64432f6b7039bd05963df49606ea3a6f60f13f924de877e9f4e9f6b364c25687bf3b1820b5ed8760e00cea08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dall.vstm
MD5
6b13e966110ee6e64ccb974759bcbb9c

SHA1
b16222d128e4ddbdf3d7e186b44d411c16ea592c

SHA256
6ba1cae5717e6842405f1ba06661c9df37ca5a79ae7d9fa35459fe38f6e65af2

SHA512
51ada73bf7f81a87b71d3e772f195ed91cdf992ece565213bcc4504d08cad6dc8db8ea3b844dbbb534236d82a095f5c85ea6dc5a3d40f468fa324575ecb39de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenga.vstm
MD5
1d909c5d5af918d424db0cd799ddfbc1

SHA1
32a190c07db8573e7e393c3e358f148a755944f1

SHA256
19c779f7cc2972c2b4baa8e67142d71dbc14da72c5855ab1d035babb59f082b8

SHA512
9937dfc59a83a2a3d08138a97a2c5e9707a63a11c9f99afd8dd699538b78cb97396c58271bd3303a83eae8808f0ddbaece303fa39f67013289e4a2d04167ffdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puo.vstm
MD5
979131f1f9a50d2ecb059c6078b188af

SHA1
18a535e0b35dddb22d9242553491eb909d77f46c

SHA256
0acdedd5b3469a6372d76de6de9435e38a098ef157453728b5090baf7228361d

SHA512
c3677e96345ce5da150bebcb54a508bfc814cc1c2d688a024318aa24d060e764dfd8338694e4cfef8580359bdb021e3130feb26f5faa92a4efc6ab072d07af56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riflettere.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Turbamento.vstm
MD5
d01168146bbd77f8d20ae7cb2eea7e25

SHA1
5d7d4727c4e9d1d6e4ce66f370f37cbf78c5d61c

SHA256
d54ce92e200a2e181865bc5c26dcef24d2f95bd47fa03c893ea6fcc91e761093

SHA512
a37d5d1b2d77a4d6b49baf50f82926be3bdf82a5061bc488e07aefd4d171ee274b7091d7b37bd25959b771712d7768ead80b071b63f1bd6ef7825e643336fdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\e
MD5
1d909c5d5af918d424db0cd799ddfbc1

SHA1
32a190c07db8573e7e393c3e358f148a755944f1

SHA256
19c779f7cc2972c2b4baa8e67142d71dbc14da72c5855ab1d035babb59f082b8

SHA512
9937dfc59a83a2a3d08138a97a2c5e9707a63a11c9f99afd8dd699538b78cb97396c58271bd3303a83eae8808f0ddbaece303fa39f67013289e4a2d04167ffdd

Download Submit
memory/2420-114-0x0000000000000000-mapping.dmp

Download
memory/2840-129-0x0000000000000000-mapping.dmp

Download
memory/2880-116-0x0000000000000000-mapping.dmp

Download
memory/2888-117-0x0000000000000000-mapping.dmp

Download
memory/3156-128-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3156-124-0x0000000000000000-mapping.dmp

Download
memory/3256-141-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3256-140-0x00000000049F0000-0x0000000004FF6000-memory.dmp

Filesize
6.0MB

Download
memory/3256-146-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/3256-136-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3256-137-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3256-138-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3256-139-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3256-145-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3256-131-0x0000000000420000-0x000000000043E000-memory.dmp

Filesize
120KB

Download
memory/3256-142-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/3256-143-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/3256-144-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/3656-122-0x0000000000000000-mapping.dmp

Download
memory/3672-120-0x0000000000000000-mapping.dmp

Download