redline | 1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494

Analysis

max time kernel
39s
max time network
69s
platform
windows10_x64
resource
win10v20210408
submitted
10-08-2021 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe
Size

743KB
MD5

4d4bc0c39fc901c1a86ef43fc3bf189a
SHA1

4736a94c30917e695ebf58f674632575e383d571
SHA256

1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
SHA512

62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Score

10^/10

redline ruz discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RUZ

sandedean.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/492-141-0x0000000000710000-0x000000000072D000-memory.dmp	family_redline
behavioral1/memory/492-146-0x00000000022D0000-0x00000000022EB000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Sgsmmodul.commmscx.exemmscx.exe

pid process

2064 Sgsmmodul.com
404 mmscx.exe
492 mmscx.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

mmscx.exe

description pid process target process

PID 404 set thread context of 492 404 mmscx.exe mmscx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3008 timeout.exe
1336 timeout.exe
1872 timeout.exe
3148 timeout.exe
3844 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3476 taskkill.exe
1092 taskkill.exe

pid	process
2064	Sgsmmodul.com
404	mmscx.exe
492	mmscx.exe

description	pid	process	target process
PID 404 set thread context of 492	404	mmscx.exe	mmscx.exe

pid	process
3008	timeout.exe
1336	timeout.exe
1872	timeout.exe
3148	timeout.exe
3844	timeout.exe

pid	process
3476	taskkill.exe
1092	taskkill.exe

Modifies registry class 2 IoCs

Processes:

1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mmscx.exe

pid process

492 mmscx.exe
492 mmscx.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exemmscx.exe

description pid process

Token: SeDebugPrivilege 3476 taskkill.exe
Token: SeDebugPrivilege 1092 taskkill.exe
Token: SeDebugPrivilege 492 mmscx.exe

pid	process
492	mmscx.exe
492	mmscx.exe

description	pid	process
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	492	mmscx.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exeWScript.execmd.exeWScript.execmd.exemmscx.exe

description	pid	process	target process
PID 628 wrote to memory of 3192	628	1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe	WScript.exe
PID 628 wrote to memory of 3192	628	1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe	WScript.exe
PID 628 wrote to memory of 3192	628	1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe	WScript.exe
PID 3192 wrote to memory of 980	3192	WScript.exe	cmd.exe
PID 3192 wrote to memory of 980	3192	WScript.exe	cmd.exe
PID 3192 wrote to memory of 980	3192	WScript.exe	cmd.exe
PID 980 wrote to memory of 3008	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 3008	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 3008	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 2064	980	cmd.exe	Sgsmmodul.com
PID 980 wrote to memory of 2064	980	cmd.exe	Sgsmmodul.com
PID 980 wrote to memory of 2064	980	cmd.exe	Sgsmmodul.com
PID 980 wrote to memory of 1336	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1336	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1336	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1480	980	cmd.exe	WScript.exe
PID 980 wrote to memory of 1480	980	cmd.exe	WScript.exe
PID 980 wrote to memory of 1480	980	cmd.exe	WScript.exe
PID 980 wrote to memory of 1872	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1872	980	cmd.exe	timeout.exe
PID 980 wrote to memory of 1872	980	cmd.exe	timeout.exe
PID 1480 wrote to memory of 3252	1480	WScript.exe	cmd.exe
PID 1480 wrote to memory of 3252	1480	WScript.exe	cmd.exe
PID 1480 wrote to memory of 3252	1480	WScript.exe	cmd.exe
PID 3252 wrote to memory of 2156	3252	cmd.exe	attrib.exe
PID 3252 wrote to memory of 2156	3252	cmd.exe	attrib.exe
PID 3252 wrote to memory of 2156	3252	cmd.exe	attrib.exe
PID 3252 wrote to memory of 3148	3252	cmd.exe	timeout.exe
PID 3252 wrote to memory of 3148	3252	cmd.exe	timeout.exe
PID 3252 wrote to memory of 3148	3252	cmd.exe	timeout.exe
PID 3252 wrote to memory of 404	3252	cmd.exe	mmscx.exe
PID 3252 wrote to memory of 404	3252	cmd.exe	mmscx.exe
PID 3252 wrote to memory of 404	3252	cmd.exe	mmscx.exe
PID 404 wrote to memory of 492	404	mmscx.exe	mmscx.exe
PID 404 wrote to memory of 492	404	mmscx.exe	mmscx.exe
PID 404 wrote to memory of 492	404	mmscx.exe	mmscx.exe
PID 404 wrote to memory of 492	404	mmscx.exe	mmscx.exe
PID 404 wrote to memory of 492	404	mmscx.exe	mmscx.exe
PID 3252 wrote to memory of 3476	3252	cmd.exe	taskkill.exe
PID 3252 wrote to memory of 3476	3252	cmd.exe	taskkill.exe
PID 3252 wrote to memory of 3476	3252	cmd.exe	taskkill.exe
PID 3252 wrote to memory of 1092	3252	cmd.exe	taskkill.exe
PID 3252 wrote to memory of 1092	3252	cmd.exe	taskkill.exe
PID 3252 wrote to memory of 1092	3252	cmd.exe	taskkill.exe
PID 3252 wrote to memory of 2272	3252	cmd.exe	attrib.exe
PID 3252 wrote to memory of 2272	3252	cmd.exe	attrib.exe
PID 3252 wrote to memory of 2272	3252	cmd.exe	attrib.exe
PID 3252 wrote to memory of 3844	3252	cmd.exe	timeout.exe
PID 3252 wrote to memory of 3844	3252	cmd.exe	timeout.exe
PID 3252 wrote to memory of 3844	3252	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2156 attrib.exe
2272 attrib.exe

pid	process
2156	attrib.exe
2272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe
"C:\Users\Admin\AppData\Local\Temp\1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\44t.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:3008

C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
4⤵
- Executes dropped EXE
PID:2064

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:1336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\gg4359.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
6⤵
- Views/modifies file attributes
PID:2156

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:3148

C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404

C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
6⤵
- Views/modifies file attributes
PID:2272

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:3844

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NSpack\updIns\44t.bat
MD5
96c69dbc1233bfa7c5e883658e0758d4

SHA1
613179fa74db9e71516bdb3a93341e9d90c4ecba

SHA256
deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde

SHA512
43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

Download Submit
C:\NSpack\updIns\Sgsmmodul.com
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\NSpack\updIns\Sgsmmodul.com
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\NSpack\updIns\dc.isi
MD5
fbd467e1613c53b03376e987f3dbf2da

SHA1
e2ca3ff625122f49e8a382dee32d0ca2f98648bf

SHA256
cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68

SHA512
e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

Download Submit
C:\NSpack\updIns\gg4359.bat
MD5
b4be21a8f4bb91b11ccaf08b39b679d5

SHA1
b3da567bb1072168b54866ee29301bde61bdc45e

SHA256
35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d

SHA512
a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

Download Submit
C:\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
C:\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
C:\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
C:\NSpack\updIns\sevenup.vbs
MD5
6a551928353982ab64107a4929c91c91

SHA1
b68ee5e77a722638f184d0fbf6a4834bb8cc188e

SHA256
0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3

SHA512
870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

Download Submit
C:\NSpack\updIns\tetracom.vbs
MD5
bdc0fb5cada9a89f074961224aaf4e63

SHA1
9284fe4ecc0fde705fc596dd89191c02915fd7a4

SHA256
b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db

SHA512
83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

Download Submit
memory/404-130-0x0000000000000000-mapping.dmp

Download
memory/492-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-154-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/492-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-155-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/492-149-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/492-157-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/492-158-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/492-152-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/492-134-0x000000000040CD2F-mapping.dmp

Download
memory/492-148-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/492-150-0x00000000049E4000-0x00000000049E6000-memory.dmp

Filesize
8KB

Download
memory/492-147-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/492-156-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/492-146-0x00000000022D0000-0x00000000022EB000-memory.dmp

Filesize
108KB

Download
memory/492-159-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/492-151-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/492-141-0x0000000000710000-0x000000000072D000-memory.dmp

Filesize
116KB

Download
memory/492-142-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/492-144-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/492-143-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/492-145-0x00000000049E3000-0x00000000049E4000-memory.dmp

Filesize
4KB

Download
memory/980-117-0x0000000000000000-mapping.dmp

Download
memory/1092-138-0x0000000000000000-mapping.dmp

Download
memory/1336-122-0x0000000000000000-mapping.dmp

Download
memory/1480-124-0x0000000000000000-mapping.dmp

Download
memory/1872-125-0x0000000000000000-mapping.dmp

Download
memory/2064-120-0x0000000000000000-mapping.dmp

Download
memory/2156-128-0x0000000000000000-mapping.dmp

Download
memory/2272-139-0x0000000000000000-mapping.dmp

Download
memory/3008-118-0x0000000000000000-mapping.dmp

Download
memory/3148-129-0x0000000000000000-mapping.dmp

Download
memory/3192-114-0x0000000000000000-mapping.dmp

Download
memory/3252-127-0x0000000000000000-mapping.dmp

Download
memory/3476-136-0x0000000000000000-mapping.dmp

Download
memory/3844-140-0x0000000000000000-mapping.dmp

Download