redline | a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5

Analysis

max time kernel
42s
max time network
134s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe
Size

723KB
MD5

5c7a96e9e751658f051daa79ac1e4cf0
SHA1

786f93d12910979c125ae6de7335d1aa80b5ed3e
SHA256

a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
SHA512

e624b68903efab2b7cd287b8c48e8afb08399770d0533238de2d0e17944dde9d8587041de81499b8c8b737bdbfb9e87f06539cdfff5c0d8da2713916512e0de9

Score

10^/10

redline discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

stanntinab.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1232-141-0x0000000002180000-0x000000000219C000-memory.dmp	family_redline
behavioral2/memory/1232-143-0x0000000002620000-0x000000000263B000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

hock.exesid.exesid.exe

pid process

2208 hock.exe
2452 sid.exe
1232 sid.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

sid.exe

description pid process target process

PID 2452 set thread context of 1232 2452 sid.exe sid.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3596 timeout.exe
184 timeout.exe
844 timeout.exe
1264 timeout.exe
1096 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2208 taskkill.exe
1512 taskkill.exe

pid	process
2208	hock.exe
2452	sid.exe
1232	sid.exe

description	pid	process	target process
PID 2452 set thread context of 1232	2452	sid.exe	sid.exe

pid	process
3596	timeout.exe
184	timeout.exe
844	timeout.exe
1264	timeout.exe
1096	timeout.exe

pid	process
2208	taskkill.exe
1512	taskkill.exe

Modifies registry class 2 IoCs

Processes:

8a7bf5e8-e55e-46c9-82e7-33084da611e9.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sid.exe

pid process

1232 sid.exe
1232 sid.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exesid.exe

description pid process

Token: SeDebugPrivilege 1512 taskkill.exe
Token: SeDebugPrivilege 2208 taskkill.exe
Token: SeDebugPrivilege 1232 sid.exe

pid	process
1232	sid.exe
1232	sid.exe

description	pid	process
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	1232	sid.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

8a7bf5e8-e55e-46c9-82e7-33084da611e9.exeWScript.execmd.exeWScript.execmd.exesid.exe

description	pid	process	target process
PID 1440 wrote to memory of 1168	1440	8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe	WScript.exe
PID 1440 wrote to memory of 1168	1440	8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe	WScript.exe
PID 1440 wrote to memory of 1168	1440	8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe	WScript.exe
PID 1168 wrote to memory of 3916	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 3916	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 3916	1168	WScript.exe	cmd.exe
PID 3916 wrote to memory of 1264	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 1264	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 1264	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 2208	3916	cmd.exe	hock.exe
PID 3916 wrote to memory of 2208	3916	cmd.exe	hock.exe
PID 3916 wrote to memory of 2208	3916	cmd.exe	hock.exe
PID 3916 wrote to memory of 1096	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 1096	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 1096	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 3720	3916	cmd.exe	WScript.exe
PID 3916 wrote to memory of 3720	3916	cmd.exe	WScript.exe
PID 3916 wrote to memory of 3720	3916	cmd.exe	WScript.exe
PID 3916 wrote to memory of 3596	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 3596	3916	cmd.exe	timeout.exe
PID 3916 wrote to memory of 3596	3916	cmd.exe	timeout.exe
PID 3720 wrote to memory of 3176	3720	WScript.exe	cmd.exe
PID 3720 wrote to memory of 3176	3720	WScript.exe	cmd.exe
PID 3720 wrote to memory of 3176	3720	WScript.exe	cmd.exe
PID 3176 wrote to memory of 3812	3176	cmd.exe	attrib.exe
PID 3176 wrote to memory of 3812	3176	cmd.exe	attrib.exe
PID 3176 wrote to memory of 3812	3176	cmd.exe	attrib.exe
PID 3176 wrote to memory of 184	3176	cmd.exe	timeout.exe
PID 3176 wrote to memory of 184	3176	cmd.exe	timeout.exe
PID 3176 wrote to memory of 184	3176	cmd.exe	timeout.exe
PID 3176 wrote to memory of 2452	3176	cmd.exe	sid.exe
PID 3176 wrote to memory of 2452	3176	cmd.exe	sid.exe
PID 3176 wrote to memory of 2452	3176	cmd.exe	sid.exe
PID 2452 wrote to memory of 1232	2452	sid.exe	sid.exe
PID 2452 wrote to memory of 1232	2452	sid.exe	sid.exe
PID 2452 wrote to memory of 1232	2452	sid.exe	sid.exe
PID 2452 wrote to memory of 1232	2452	sid.exe	sid.exe
PID 2452 wrote to memory of 1232	2452	sid.exe	sid.exe
PID 3176 wrote to memory of 1512	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 1512	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 1512	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 2208	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 2208	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 2208	3176	cmd.exe	taskkill.exe
PID 3176 wrote to memory of 2784	3176	cmd.exe	attrib.exe
PID 3176 wrote to memory of 2784	3176	cmd.exe	attrib.exe
PID 3176 wrote to memory of 2784	3176	cmd.exe	attrib.exe
PID 3176 wrote to memory of 844	3176	cmd.exe	timeout.exe
PID 3176 wrote to memory of 844	3176	cmd.exe	timeout.exe
PID 3176 wrote to memory of 844	3176	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3812 attrib.exe
2784 attrib.exe

pid	process
3812	attrib.exe
2784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe
"C:\Users\Admin\AppData\Local\Temp\8a7bf5e8-e55e-46c9-82e7-33084da611e9.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\inst1\datapjgf\5g56656161.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\inst1\datapjgf\yui.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:1264

C:\inst1\datapjgf\hock.exe
"hock.exe" e -pfile kool.rar
4⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:1096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\inst1\datapjgf\als.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\inst1\datapjgf\fsp.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\inst1"
6⤵
- Views/modifies file attributes
PID:3812

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:184

C:\inst1\datapjgf\sid.exe
sid.exe /start
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2452

C:\inst1\datapjgf\sid.exe
sid.exe /start
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im hock.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im hock.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\inst1\datapjgf"
6⤵
- Views/modifies file attributes
PID:2784

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:844

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\inst1\datapjgf\5g56656161.vbs
MD5
bb1e59925a7580229b8f56259a5b7e35

SHA1
1f65cc2d37d3e135c9f92d9630deae8d0c75d19b

SHA256
347d11816b9cf30654204cfcf51b2907cfb3e64e89426d6eb0f1cb73159fdc7d

SHA512
1e584c8ab1780672e34999e9a003a21254586f7712f7d70774f35b7e42fab424938d6ea1f36057ca9c831ea6bcfbca4649b5bfe6f65610b7f6629977730aace9

Download Submit
C:\inst1\datapjgf\als.vbs
MD5
9859b8c66ab773327318fb4af69b4ff0

SHA1
9960966652d6b1921329d667e667964cdc933cd1

SHA256
77ce3e4459c8af542dab9039f0ac1a0ce72592a484f91dfe10042e260f9b4d40

SHA512
f4a76570459b53b6dac4680b6ee0957a4bebc491fc88807f534a8123c248b26135e4c81287af6f922924fd3ad64fe4068d9133fd874506887ff2692b20f8c190

Download Submit
C:\inst1\datapjgf\fsp.bat
MD5
ef5de4e87f37e047ba668f5f4497a25e

SHA1
5df4086a8c8a0ac457c5fd2e0884ceacecee19e0

SHA256
069700f16b8c2ff3f22a7c4a0448c5d128effcf2c0917534672eb56dd7404721

SHA512
e4daf66258467a54da7654428f2a47dc58c3de106df9a2a62ebbf75984a2123c0d14e24cae81c9f2973d61aea85a4c1c3b439b6af45a720f3a10c933b367c742

Download Submit
C:\inst1\datapjgf\hock.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\inst1\datapjgf\hock.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\inst1\datapjgf\pzrklog
MD5
431b2ef26e503e06a01587aaa7a2ee93

SHA1
58ef0a09f2464731f094775e8adc77379bfc5ffa

SHA256
dfaa5c996d8afaf498bcb58d6ac1348cf959e8a008f3b572ddd6a60951426de6

SHA512
2990ab4d257aa81b037d4df58fa01f6d8229670a4d1f990d299ed6b205d869fe6c5076921f20bfdddd02b1e8d9f01b422a86dbd35e38a7d190eb3b798f6061d5

Download Submit
C:\inst1\datapjgf\sid.exe
MD5
4eaa34aeca42bfe6cfd59179a76b266a

SHA1
bd09f11f58fd289382c58cce6c30f55786c84b6e

SHA256
03676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef

SHA512
67d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4

Download Submit
C:\inst1\datapjgf\sid.exe
MD5
4eaa34aeca42bfe6cfd59179a76b266a

SHA1
bd09f11f58fd289382c58cce6c30f55786c84b6e

SHA256
03676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef

SHA512
67d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4

Download Submit
C:\inst1\datapjgf\sid.exe
MD5
4eaa34aeca42bfe6cfd59179a76b266a

SHA1
bd09f11f58fd289382c58cce6c30f55786c84b6e

SHA256
03676d28845bff4bdece7c13f65594da8e1133c6f2e4ee93b88a8456d572d1ef

SHA512
67d1d62732a2d8d4470d9f8e8862641a3c845b53be261033c4145a77f29ed8e66f32d01823f680e8453fc7779897840467ff8f29b799e28cd3fcfe4aad912af4

Download Submit
C:\inst1\datapjgf\yui.bat
MD5
6233a53a9098887969c50d6ebb4fb984

SHA1
70ad25a824489083d2087ae08243f5540cde67b0

SHA256
008932d95d072a0fe6be40db10f4a32c16e152138f61ed17d955f2b00f41f865

SHA512
b978cf449bfb9ae3902ecc2e44b985d29f2b57087d22ebbc19a800e595fccb56f089baa32c71e4c533dbb829b1643c7d770f2637016a4d43851f5f69f5012a56

Download Submit
memory/184-129-0x0000000000000000-mapping.dmp

Download
memory/844-139-0x0000000000000000-mapping.dmp

Download
memory/1096-122-0x0000000000000000-mapping.dmp

Download
memory/1168-114-0x0000000000000000-mapping.dmp

Download
memory/1232-151-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1232-159-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1232-158-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/1232-154-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/1232-150-0x0000000002104000-0x0000000002106000-memory.dmp

Filesize
8KB

Download
memory/1232-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-134-0x000000000040CD2F-mapping.dmp

Download
memory/1232-156-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/1232-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-152-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1232-149-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1232-155-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/1232-157-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/1232-141-0x0000000002180000-0x000000000219C000-memory.dmp

Filesize
112KB

Download
memory/1232-142-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1232-143-0x0000000002620000-0x000000000263B000-memory.dmp

Filesize
108KB

Download
memory/1232-144-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1232-146-0x0000000002102000-0x0000000002103000-memory.dmp

Filesize
4KB

Download
memory/1232-145-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1232-147-0x0000000002103000-0x0000000002104000-memory.dmp

Filesize
4KB

Download
memory/1232-148-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1264-118-0x0000000000000000-mapping.dmp

Download
memory/1512-136-0x0000000000000000-mapping.dmp

Download
memory/2208-137-0x0000000000000000-mapping.dmp

Download
memory/2208-120-0x0000000000000000-mapping.dmp

Download
memory/2452-130-0x0000000000000000-mapping.dmp

Download
memory/2784-138-0x0000000000000000-mapping.dmp

Download
memory/3176-127-0x0000000000000000-mapping.dmp

Download
memory/3596-125-0x0000000000000000-mapping.dmp

Download
memory/3720-124-0x0000000000000000-mapping.dmp

Download
memory/3812-128-0x0000000000000000-mapping.dmp

Download
memory/3916-117-0x0000000000000000-mapping.dmp

Download