redline | c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

Analysis

max time kernel
129s
max time network
137s
platform
windows7_x64
resource
win7v20210408
submitted
11-08-2021 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file3.exe
Size

743KB
MD5

4d4bc0c39fc901c1a86ef43fc3bf189a
SHA1

4736a94c30917e695ebf58f674632575e383d571
SHA256

1db3436f625cebe977fb3a664dda374d3873e50d4f4f46c50a258949905f7494
SHA512

62bcb7214a1f7c3143ee69f4b188cfea38369d2d7b736891bc1a280334cfd2c31d994f99a1da890203ea638ff17b82c4481f765de4bb9ff3b37dcdc11f46dee6

Score

10^/10

redline ruz discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RUZ

sandedean.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral15/memory/744-109-0x00000000004B0000-0x00000000004CD000-memory.dmp	family_redline
behavioral15/memory/744-112-0x0000000001CC0000-0x0000000001CDB000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Sgsmmodul.commmscx.exemmscx.exe

pid process

736 Sgsmmodul.com
1696 mmscx.exe
744 mmscx.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exemmscx.exe

pid process

1928 cmd.exe
920 cmd.exe
920 cmd.exe
1696 mmscx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

mmscx.exe

description pid process target process

PID 1696 set thread context of 744 1696 mmscx.exe mmscx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1256 timeout.exe
856 timeout.exe
1288 timeout.exe
368 timeout.exe
952 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1604 taskkill.exe
1308 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mmscx.exe

pid process

744 mmscx.exe
744 mmscx.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exemmscx.exe

description pid process

Token: SeDebugPrivilege 1604 taskkill.exe
Token: SeDebugPrivilege 1308 taskkill.exe
Token: SeDebugPrivilege 744 mmscx.exe

pid	process
736	Sgsmmodul.com
1696	mmscx.exe
744	mmscx.exe

pid	process
1928	cmd.exe
920	cmd.exe
920	cmd.exe
1696	mmscx.exe

description	pid	process	target process
PID 1696 set thread context of 744	1696	mmscx.exe	mmscx.exe

pid	process
1256	timeout.exe
856	timeout.exe
1288	timeout.exe
368	timeout.exe
952	timeout.exe

pid	process
1604	taskkill.exe
1308	taskkill.exe

pid	process
744	mmscx.exe
744	mmscx.exe

description	pid	process
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	744	mmscx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file3.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 1820 wrote to memory of 2032	1820	file3.exe	WScript.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 2032 wrote to memory of 1928	2032	WScript.exe	cmd.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1256	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 736	1928	cmd.exe	Sgsmmodul.com
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 856	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1768	1928	cmd.exe	WScript.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1928 wrote to memory of 1288	1928	cmd.exe	timeout.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 1768 wrote to memory of 920	1768	WScript.exe	cmd.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 1088	920	cmd.exe	attrib.exe
PID 920 wrote to memory of 368	920	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1028 attrib.exe
1088 attrib.exe

pid	process
1028	attrib.exe
1088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\44t.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:1256

C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
4⤵
- Executes dropped EXE
PID:736

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\gg4359.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
6⤵
- Views/modifies file attributes
PID:1088

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:368

C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1696

C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
6⤵
- Views/modifies file attributes
PID:1028

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:952

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NSpack\updIns\44t.bat
MD5
96c69dbc1233bfa7c5e883658e0758d4

SHA1
613179fa74db9e71516bdb3a93341e9d90c4ecba

SHA256
deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde

SHA512
43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

Download Submit
C:\NSpack\updIns\Sgsmmodul.com
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\NSpack\updIns\Sgsmmodul.com
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\NSpack\updIns\dc.isi
MD5
fbd467e1613c53b03376e987f3dbf2da

SHA1
e2ca3ff625122f49e8a382dee32d0ca2f98648bf

SHA256
cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68

SHA512
e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

Download Submit
C:\NSpack\updIns\gg4359.bat
MD5
b4be21a8f4bb91b11ccaf08b39b679d5

SHA1
b3da567bb1072168b54866ee29301bde61bdc45e

SHA256
35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d

SHA512
a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

Download Submit
C:\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
C:\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
C:\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
C:\NSpack\updIns\sevenup.vbs
MD5
6a551928353982ab64107a4929c91c91

SHA1
b68ee5e77a722638f184d0fbf6a4834bb8cc188e

SHA256
0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3

SHA512
870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

Download Submit
C:\NSpack\updIns\tetracom.vbs
MD5
bdc0fb5cada9a89f074961224aaf4e63

SHA1
9284fe4ecc0fde705fc596dd89191c02915fd7a4

SHA256
b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db

SHA512
83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

Download Submit
\NSpack\updIns\Sgsmmodul.com
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
\NSpack\updIns\mmscx.exe
MD5
3e79f72a8ae481ac76a69ccf1213d24d

SHA1
de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2

SHA256
1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4

SHA512
2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

Download Submit
memory/368-87-0x0000000000000000-mapping.dmp

Download
memory/736-72-0x0000000000000000-mapping.dmp

Download
memory/744-111-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/744-114-0x0000000004864000-0x0000000004866000-memory.dmp

Filesize
8KB

Download
memory/744-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-97-0x000000000040CD2F-mapping.dmp

Download
memory/744-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-112-0x0000000001CC0000-0x0000000001CDB000-memory.dmp

Filesize
108KB

Download
memory/744-110-0x0000000004861000-0x0000000004862000-memory.dmp

Filesize
4KB

Download
memory/744-113-0x0000000004863000-0x0000000004864000-memory.dmp

Filesize
4KB

Download
memory/744-109-0x00000000004B0000-0x00000000004CD000-memory.dmp

Filesize
116KB

Download
memory/856-75-0x0000000000000000-mapping.dmp

Download
memory/920-83-0x0000000000000000-mapping.dmp

Download
memory/952-106-0x0000000000000000-mapping.dmp

Download
memory/1028-104-0x0000000000000000-mapping.dmp

Download
memory/1088-85-0x0000000000000000-mapping.dmp

Download
memory/1256-67-0x0000000000000000-mapping.dmp

Download
memory/1288-79-0x0000000000000000-mapping.dmp

Download
memory/1308-102-0x0000000000000000-mapping.dmp

Download
memory/1604-99-0x0000000000000000-mapping.dmp

Download
memory/1696-92-0x0000000000000000-mapping.dmp

Download
memory/1768-78-0x0000000000000000-mapping.dmp

Download
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1928-65-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000000000000-mapping.dmp

Download