redline | c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b

Analysis

max time kernel
42s
max time network
121s
platform
windows10_x64
resource
win10v20210408
submitted
07-08-2021 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe
Size

807KB
MD5

91b29e0808cf9a3e10099d2dd0391f9f
SHA1

d5b547c0942e38bcefc739af927efc1461a6c7a2
SHA256

c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b
SHA512

08ebeb7752248c1ec14ed8645a59ddf087e095bc86286aa7928bf789a6f01f162cd5a7d7d68be0c2ef0aa9d9aef1e859cf466ec90531a020e6e436fa6dc8434b

Score

10^/10

redline ruz discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RUZ

sandedean.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/800-142-0x0000000002240000-0x000000000225D000-memory.dmp	family_redline
behavioral1/memory/800-144-0x0000000004A50000-0x0000000004A6B000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

lerl.exesbn239824.exesbn239824.exe

pid process

1300 lerl.exe
664 sbn239824.exe
800 sbn239824.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

sbn239824.exe

description pid process target process

PID 664 set thread context of 800 664 sbn239824.exe sbn239824.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2100 timeout.exe
2212 timeout.exe
628 timeout.exe
1540 timeout.exe
192 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3200 taskkill.exe
1136 taskkill.exe

pid	process
1300	lerl.exe
664	sbn239824.exe
800	sbn239824.exe

description	pid	process	target process
PID 664 set thread context of 800	664	sbn239824.exe	sbn239824.exe

pid	process
2100	timeout.exe
2212	timeout.exe
628	timeout.exe
1540	timeout.exe
192	timeout.exe

pid	process
3200	taskkill.exe
1136	taskkill.exe

Modifies registry class 2 IoCs

Processes:

c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sbn239824.exe

pid process

800 sbn239824.exe
800 sbn239824.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exesbn239824.exe

description pid process

Token: SeDebugPrivilege 3200 taskkill.exe
Token: SeDebugPrivilege 1136 taskkill.exe
Token: SeDebugPrivilege 800 sbn239824.exe

pid	process
800	sbn239824.exe
800	sbn239824.exe

description	pid	process
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	800	sbn239824.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exeWScript.execmd.exeWScript.execmd.exesbn239824.exe

description	pid	process	target process
PID 992 wrote to memory of 1016	992	c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe	WScript.exe
PID 992 wrote to memory of 1016	992	c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe	WScript.exe
PID 992 wrote to memory of 1016	992	c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe	WScript.exe
PID 1016 wrote to memory of 756	1016	WScript.exe	cmd.exe
PID 1016 wrote to memory of 756	1016	WScript.exe	cmd.exe
PID 1016 wrote to memory of 756	1016	WScript.exe	cmd.exe
PID 756 wrote to memory of 192	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 192	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 192	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 1300	756	cmd.exe	lerl.exe
PID 756 wrote to memory of 1300	756	cmd.exe	lerl.exe
PID 756 wrote to memory of 1300	756	cmd.exe	lerl.exe
PID 756 wrote to memory of 2100	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 2100	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 2100	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 416	756	cmd.exe	WScript.exe
PID 756 wrote to memory of 416	756	cmd.exe	WScript.exe
PID 756 wrote to memory of 416	756	cmd.exe	WScript.exe
PID 756 wrote to memory of 2212	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 2212	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 2212	756	cmd.exe	timeout.exe
PID 416 wrote to memory of 2792	416	WScript.exe	cmd.exe
PID 416 wrote to memory of 2792	416	WScript.exe	cmd.exe
PID 416 wrote to memory of 2792	416	WScript.exe	cmd.exe
PID 2792 wrote to memory of 760	2792	cmd.exe	attrib.exe
PID 2792 wrote to memory of 760	2792	cmd.exe	attrib.exe
PID 2792 wrote to memory of 760	2792	cmd.exe	attrib.exe
PID 2792 wrote to memory of 628	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 628	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 628	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sbn239824.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sbn239824.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sbn239824.exe
PID 664 wrote to memory of 800	664	sbn239824.exe	sbn239824.exe
PID 664 wrote to memory of 800	664	sbn239824.exe	sbn239824.exe
PID 664 wrote to memory of 800	664	sbn239824.exe	sbn239824.exe
PID 664 wrote to memory of 800	664	sbn239824.exe	sbn239824.exe
PID 664 wrote to memory of 800	664	sbn239824.exe	sbn239824.exe
PID 2792 wrote to memory of 3200	2792	cmd.exe	taskkill.exe
PID 2792 wrote to memory of 3200	2792	cmd.exe	taskkill.exe
PID 2792 wrote to memory of 3200	2792	cmd.exe	taskkill.exe
PID 2792 wrote to memory of 1136	2792	cmd.exe	taskkill.exe
PID 2792 wrote to memory of 1136	2792	cmd.exe	taskkill.exe
PID 2792 wrote to memory of 1136	2792	cmd.exe	taskkill.exe
PID 2792 wrote to memory of 1568	2792	cmd.exe	attrib.exe
PID 2792 wrote to memory of 1568	2792	cmd.exe	attrib.exe
PID 2792 wrote to memory of 1568	2792	cmd.exe	attrib.exe
PID 2792 wrote to memory of 1540	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 1540	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 1540	2792	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1568 attrib.exe
760 attrib.exe

pid	process
1568	attrib.exe
760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe
"C:\Users\Admin\AppData\Local\Temp\c27d02d77c0aec87d90d81b3897c855e5b46eafe893ba8a3c407b2db81c54c0b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RECYCLER\ext\s1.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\RECYCLER\ext\cmcm.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:192

C:\RECYCLER\ext\lerl.exe
"lerl.exe" e -pVUvyusy7gr87dbhsjs2178hwh netpack.rar
4⤵
- Executes dropped EXE
PID:1300

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:2100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RECYCLER\ext\s2ls.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\RECYCLER\ext\vn2348972.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\RECYCLER"
6⤵
- Views/modifies file attributes
PID:760

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:628

C:\RECYCLER\ext\sbn239824.exe
sbn239824.exe /start
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\RECYCLER\ext\sbn239824.exe
sbn239824.exe /start
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im lerl.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im lerl.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\RECYCLER\ext"
6⤵
- Views/modifies file attributes
PID:1568

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:1540

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RECYCLER\ext\cmcm.bat
MD5
a337755a0943394d0d52d934e38d55ca

SHA1
5c056b2ab188145e2901668b9921659b60be71b7

SHA256
8ae7346932a00bd36852d155c2b2b8d5e403c1b0bf2136d30c51f98107398d53

SHA512
223525e118d9231ddc2e134516d401bf288a48d0e5af0dcde7cba1fbf8fe869b9a340c2a9a16e91e27fbb542aa56f95864d92486ae69088d8692a62535067fdc

Download Submit
C:\RECYCLER\ext\lerl.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\RECYCLER\ext\lerl.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\RECYCLER\ext\net.lic
MD5
cbb9a5673118fafd801adfefedb6d2b6

SHA1
742188db9cc6ec4fea2c839df8495ff35a616af6

SHA256
25ea53b8e8f7a58090ce3cb5372800477a982822e3f4d1a47b867e1c60272857

SHA512
2ed3157aee718859cf41b0897b9f2da187d3961ede3d468cbf0c701724f9819c5fd66ce8ccef863b2bd48ce3f3da117c13b8eb1924955cb89af43ec4064e07c4

Download Submit
C:\RECYCLER\ext\s1.vbs
MD5
cba79283b21d77445b642b993f80449b

SHA1
dd985334ded87cf6ccf41836ccb52d0ee8aaf0e2

SHA256
72f7c0e4fe8661cf7ef677d925dde5c148fd0bcab6ac8beee1e9562f38c09899

SHA512
eecf40b4ef134306f63168beb5ca40efcfe5f06262558607e8a42cb92dcb1a56b04e931c0993403264d401d5a35e4f7391778116d955603e7073468211c79b85

Download Submit
C:\RECYCLER\ext\s2ls.vbs
MD5
da2135e3259d7fdec822f7c204d65720

SHA1
14ea6441c8c4392b90e532321081eb32937b975d

SHA256
b60ff12e19805329da56221c84245f8ce18756493236f215efa00093a0eead09

SHA512
abc5e031b7d4da89b01efd56ee2b08cf0ea1354d2ee39d221ad4f04f425c4f9cfb1a922b0bd8035fd3f6a8b5955de76adc6c206d6db8407ce8bf2eed36caccfe

Download Submit
C:\RECYCLER\ext\sbn239824.exe
MD5
1fa01a2dbdfce5b014bfec4d90193558

SHA1
5adb385236bc382c91185e62e048455c716adf83

SHA256
5e91f8e4de04a42b213ebcf29f6fdcdcea36e6bbf6c9c12e61f49fcce0a9c167

SHA512
18eef4fea007233c4a4d8fd8b3e921ca6825b9fe50df4038c4468183ec70f3d6d9478888d53babada22fae554ae39e51758957689a63d105567137161fe82cd2

Download Submit
C:\RECYCLER\ext\sbn239824.exe
MD5
1fa01a2dbdfce5b014bfec4d90193558

SHA1
5adb385236bc382c91185e62e048455c716adf83

SHA256
5e91f8e4de04a42b213ebcf29f6fdcdcea36e6bbf6c9c12e61f49fcce0a9c167

SHA512
18eef4fea007233c4a4d8fd8b3e921ca6825b9fe50df4038c4468183ec70f3d6d9478888d53babada22fae554ae39e51758957689a63d105567137161fe82cd2

Download Submit
C:\RECYCLER\ext\sbn239824.exe
MD5
1fa01a2dbdfce5b014bfec4d90193558

SHA1
5adb385236bc382c91185e62e048455c716adf83

SHA256
5e91f8e4de04a42b213ebcf29f6fdcdcea36e6bbf6c9c12e61f49fcce0a9c167

SHA512
18eef4fea007233c4a4d8fd8b3e921ca6825b9fe50df4038c4468183ec70f3d6d9478888d53babada22fae554ae39e51758957689a63d105567137161fe82cd2

Download Submit
C:\RECYCLER\ext\vn2348972.bat
MD5
7fdc33e416575fbe3d85c16f884882dd

SHA1
e653725d8e3246896e2e343e3f51d6c38956d31f

SHA256
38fb4b2e049fd0d32aa46d250272ef3ad4e094f750295c1e468de382974b108c

SHA512
e1cba3e9d05478799b8653e23ab1dc627ae58c522f7cfd763eb54cda8b572c409fc0f96a0ead55bed2015e7b3a9a73115335af06b746ca5b37af337d8a3db592

Download Submit
memory/192-118-0x0000000000000000-mapping.dmp

Download
memory/416-124-0x0000000000000000-mapping.dmp

Download
memory/628-129-0x0000000000000000-mapping.dmp

Download
memory/664-130-0x0000000000000000-mapping.dmp

Download
memory/756-117-0x0000000000000000-mapping.dmp

Download
memory/760-128-0x0000000000000000-mapping.dmp

Download
memory/800-147-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

Filesize
4KB

Download
memory/800-141-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/800-159-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/800-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-134-0x000000000040CD2F-mapping.dmp

Download
memory/800-158-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/800-157-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/800-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-156-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/800-155-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/800-154-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/800-153-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/800-142-0x0000000002240000-0x000000000225D000-memory.dmp

Filesize
116KB

Download
memory/800-143-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/800-144-0x0000000004A50000-0x0000000004A6B000-memory.dmp

Filesize
108KB

Download
memory/800-145-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/800-146-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/800-151-0x0000000004AB4000-0x0000000004AB6000-memory.dmp

Filesize
8KB

Download
memory/800-148-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/800-149-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/800-150-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1016-114-0x0000000000000000-mapping.dmp

Download
memory/1136-138-0x0000000000000000-mapping.dmp

Download
memory/1300-120-0x0000000000000000-mapping.dmp

Download
memory/1540-140-0x0000000000000000-mapping.dmp

Download
memory/1568-139-0x0000000000000000-mapping.dmp

Download
memory/2100-122-0x0000000000000000-mapping.dmp

Download
memory/2212-125-0x0000000000000000-mapping.dmp

Download
memory/2792-127-0x0000000000000000-mapping.dmp

Download
memory/3200-136-0x0000000000000000-mapping.dmp

Download