redline | 89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2

Analysis

max time kernel
26s
max time network
68s
platform
windows10_x64
resource
win10v20210408
submitted
25-07-2021 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9E410393702B6902ABDE53FC8B588527.exe
Size

2.3MB
MD5

9e410393702b6902abde53fc8b588527
SHA1

0a4d2250a4d47e4e9993e0e806545d8731fe5b35
SHA256

89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
SHA512

66353988d7a905232f1a7462397c4cc1eba7eed1a819a6f5ed22ddff050f97624a702d3780c535eef08eac0bebde1b9d4a92f08c35fcab266e6a77ab3c5f5386

Score

10^/10

redline @menvzlomali discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@menvzlomali

xetadycami.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe	family_redline

Executes dropped EXE 6 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exe

pid process

4060 7z.exe
3768 7z.exe
2972 7z.exe
3824 7z.exe
3684 7z.exe
2060 @menvzlomali.exe
Loads dropped DLL 5 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe

pid process

4060 7z.exe
3768 7z.exe
2972 7z.exe
3824 7z.exe
3684 7z.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

@menvzlomali.exe

pid process

2060 @menvzlomali.exe
2060 @menvzlomali.exe

pid	process
4060	7z.exe
3768	7z.exe
2972	7z.exe
3824	7z.exe
3684	7z.exe
2060	@menvzlomali.exe

pid	process
4060	7z.exe
3768	7z.exe
2972	7z.exe
3824	7z.exe
3684	7z.exe

pid	process
2060	@menvzlomali.exe
2060	@menvzlomali.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe@menvzlomali.exe

description	pid	process
Token: SeRestorePrivilege	4060	7z.exe
Token: 35	4060	7z.exe
Token: SeSecurityPrivilege	4060	7z.exe
Token: SeSecurityPrivilege	4060	7z.exe
Token: SeRestorePrivilege	3768	7z.exe
Token: 35	3768	7z.exe
Token: SeSecurityPrivilege	3768	7z.exe
Token: SeSecurityPrivilege	3768	7z.exe
Token: SeRestorePrivilege	2972	7z.exe
Token: 35	2972	7z.exe
Token: SeSecurityPrivilege	2972	7z.exe
Token: SeSecurityPrivilege	2972	7z.exe
Token: SeRestorePrivilege	3824	7z.exe
Token: 35	3824	7z.exe
Token: SeSecurityPrivilege	3824	7z.exe
Token: SeSecurityPrivilege	3824	7z.exe
Token: SeRestorePrivilege	3684	7z.exe
Token: 35	3684	7z.exe
Token: SeSecurityPrivilege	3684	7z.exe
Token: SeSecurityPrivilege	3684	7z.exe
Token: SeDebugPrivilege	2060	@menvzlomali.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

9E410393702B6902ABDE53FC8B588527.execmd.exe

description	pid	process	target process
PID 628 wrote to memory of 3612	628	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 628 wrote to memory of 3612	628	9E410393702B6902ABDE53FC8B588527.exe	cmd.exe
PID 3612 wrote to memory of 3048	3612	cmd.exe	mode.com
PID 3612 wrote to memory of 3048	3612	cmd.exe	mode.com
PID 3612 wrote to memory of 4060	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 4060	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 3768	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 3768	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 2972	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 2972	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 3824	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 3824	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 3684	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 3684	3612	cmd.exe	7z.exe
PID 3612 wrote to memory of 1344	3612	cmd.exe	attrib.exe
PID 3612 wrote to memory of 1344	3612	cmd.exe	attrib.exe
PID 3612 wrote to memory of 2060	3612	cmd.exe	@menvzlomali.exe
PID 3612 wrote to memory of 2060	3612	cmd.exe	@menvzlomali.exe
PID 3612 wrote to memory of 2060	3612	cmd.exe	@menvzlomali.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1344 attrib.exe

pid	process
1344	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe
"C:\Users\Admin\AppData\Local\Temp\9E410393702B6902ABDE53FC8B588527.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\mode.com
mode 65,10
3⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\attrib.exe
attrib +H "@menvzlomali.exe"
3⤵
- Views/modifies file attributes
PID:1344

C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe
"@menvzlomali.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\@menvzlomali.exe
MD5
57212d78e3f10df15da4118f3af590c3

SHA1
fd591b0771e0fb440a82c3f939443859360d55c9

SHA256
071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283

SHA512
8fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@menvzlomali.exe
MD5
57212d78e3f10df15da4118f3af590c3

SHA1
fd591b0771e0fb440a82c3f939443859360d55c9

SHA256
071ad7bfefd2e0f0e6e5026f8753d4c02fbc3a6dceb66788677aa027d507c283

SHA512
8fbbba63336485b32ad3b415fcf3d1b2992c9b34a5872ac12e6c5767c03be509d7b537838aa44d49f20c44ab515761f5377a89eec0d54ea237de989b2dc1607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
MD5
9c238b66e8e878add3c6d5ec2bb2b8ee

SHA1
01a129285a5738e6acf88d76e8861d7e4f66cf6d

SHA256
0b17daf75f88addfa5ea28e546842453b6b8e8677c81e6af5bced446a7e7cd10

SHA512
b00d7825e4da91645a3e723b0873ec98a96b40eacb4f3b070e8ddc46ecd6a3891dc62c835734e8fb3d26e82f18bd55813149f09c09f0b86d940c994f342b8092

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
MD5
17c65e9dd39033b1498d5b7127235bdb

SHA1
3f91c363bc3ae2ccbd4bdda2b8e2a327738af446

SHA256
4899f8459fa43698d043dd55347d7afde5529222dc09a9b5b46515d4dc78dbeb

SHA512
58a64286a2964cd8ff4877f5f4895cec01ed3135568c945d2232295f33fc1b19a30dc7fd5567fa4db46ac5e55ba29bb811cf89bdb4e12e7312cf73576c01c133

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
MD5
960172e158c04fe1a52ec200f8b603e3

SHA1
f866ab4b93f39adecf47053f9c4150c67f159d45

SHA256
b6fc5a261199c4cfbc37c61c26439a95bf2f302889e39e48b2926fd03270328d

SHA512
9d07a9d90dd87ff49087c56cb33e533d487806afbb57a41a72ac1f68cd8736aaaa2660c2449204652928a5edca3da12518701e6e1adf731b37b82267d993017d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
MD5
b8ac7bef4565972b105784581c036b1f

SHA1
3b2e982bdfbddac1e34edc0e0e270f9280767dab

SHA256
638e31294512e587d4f5f464ae12dd9319cbf0e29b17b0f69ff06c8c12c6549f

SHA512
d3d566a5d3e731e1aed6b59086f2206b49512b1b99183dfb1e38f37f0ff1694aca66bb17c3ee2fd9fb65ebd7986479ec8af392683b3f45affe450604ba8c4c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
MD5
6104565d86f6897d5598ca576d0cdb34

SHA1
5c6249bb6f5f4648549bebc9f6c27d27cc0cf470

SHA256
b9badec8e882abe16db8a7b85e168cd712b99bb75cee0cc5c2b66fbeda07f4d8

SHA512
b6f593d4ff0a4050b7fa907242298ec25dae653073b1a13a1ea13afaabc91d1db4a1c0857b4cccf93dc78d95156a8ca05fe1af95bab568e6720582f83607df3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
MD5
1db985429ea59b5e0ee3bf05de444e3f

SHA1
f5a960489b8141fcf746db2e1b9cc899cc839db5

SHA256
1b7c0b233b405bf1c9534319ddce9b72e61e6701c41287684e5f4f489d5f51bd

SHA512
cf8758b04a3d924c4608df42d0eef538925bb86c26fc3918cf838f827380bbe891f28e13537fb4bdde340c020bbf347e65c5bc19efdc643ea1d3f8b87d8c5f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
MD5
95e9d038587986bbfae1f3ff2703751c

SHA1
f755fc147be4c89a8f4a8ef8303458a9c2f384c7

SHA256
e94dc2d6675a9b0bef924a79e67e01107ac1725704c7c870939833c2e0ec7c22

SHA512
472969d8183aad603ff6063aa69b233833fe193f3f06b6fbee2c032bafe031900cbc35251219c4b850584bd4721bb132252a3bbc695056ddf92fb0416d142e68

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
memory/1344-140-0x0000000000000000-mapping.dmp

Download
memory/2060-145-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2060-146-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/2060-155-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/2060-150-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/2060-154-0x00000000066A0000-0x00000000066A1000-memory.dmp

Filesize
4KB

Download
memory/2060-153-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/2060-141-0x0000000000000000-mapping.dmp

Download
memory/2060-149-0x0000000004B80000-0x0000000005186000-memory.dmp

Filesize
6.0MB

Download
memory/2060-143-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2060-152-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/2060-151-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/2060-147-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2060-148-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2972-126-0x0000000000000000-mapping.dmp

Download
memory/3048-116-0x0000000000000000-mapping.dmp

Download
memory/3612-114-0x0000000000000000-mapping.dmp

Download
memory/3684-134-0x0000000000000000-mapping.dmp

Download
memory/3768-122-0x0000000000000000-mapping.dmp

Download
memory/3824-130-0x0000000000000000-mapping.dmp

Download
memory/4060-118-0x0000000000000000-mapping.dmp

Download