redline | 907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4

Analysis

max time kernel
42s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
21-08-2021 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe
Size

727KB
MD5

33e12da8c235ff1459e0f0a8fabee0ec
SHA1

f1d1afc7d92ce245ec16a5fe6046817b65abfcf3
SHA256

907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4
SHA512

cd592c8deca609e7556ecb866d835b655a37ba5593f8ffad48933e3644fe6c53fa2073ad6841e69d46fd7136fbc495f59e33d943cc234507f0d19713eda3fb27

Score

10^/10

redline ruz discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RUZ

oltorarrar.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2404-142-0x0000000000710000-0x000000000072D000-memory.dmp	family_redline
behavioral1/memory/2404-144-0x00000000021B0000-0x00000000021CB000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

consoleNS.exebrokers.exebrokers.exe

pid process

3648 consoleNS.exe
2096 brokers.exe
2404 brokers.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

brokers.exe

description pid process target process

PID 2096 set thread context of 2404 2096 brokers.exe brokers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4060 timeout.exe
3872 timeout.exe
2880 timeout.exe
1252 timeout.exe
2180 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2568 taskkill.exe
1516 taskkill.exe

pid	process
3648	consoleNS.exe
2096	brokers.exe
2404	brokers.exe

description	pid	process	target process
PID 2096 set thread context of 2404	2096	brokers.exe	brokers.exe

pid	process
4060	timeout.exe
3872	timeout.exe
2880	timeout.exe
1252	timeout.exe
2180	timeout.exe

pid	process
2568	taskkill.exe
1516	taskkill.exe

Modifies registry class 2 IoCs

Processes:

907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

brokers.exe

pid process

2404 brokers.exe
2404 brokers.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exebrokers.exe

description pid process

Token: SeDebugPrivilege 2568 taskkill.exe
Token: SeDebugPrivilege 2404 brokers.exe

pid	process
2404	brokers.exe
2404	brokers.exe

description	pid	process
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	2404	brokers.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exeWScript.execmd.exeWScript.execmd.exebrokers.exe

description	pid	process	target process
PID 504 wrote to memory of 2476	504	907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe	WScript.exe
PID 504 wrote to memory of 2476	504	907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe	WScript.exe
PID 504 wrote to memory of 2476	504	907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe	WScript.exe
PID 2476 wrote to memory of 2728	2476	WScript.exe	cmd.exe
PID 2476 wrote to memory of 2728	2476	WScript.exe	cmd.exe
PID 2476 wrote to memory of 2728	2476	WScript.exe	cmd.exe
PID 2728 wrote to memory of 4060	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 4060	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 4060	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 3648	2728	cmd.exe	consoleNS.exe
PID 2728 wrote to memory of 3648	2728	cmd.exe	consoleNS.exe
PID 2728 wrote to memory of 3648	2728	cmd.exe	consoleNS.exe
PID 2728 wrote to memory of 3872	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 3872	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 3872	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 2696	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 2696	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 2696	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 2880	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 2880	2728	cmd.exe	timeout.exe
PID 2728 wrote to memory of 2880	2728	cmd.exe	timeout.exe
PID 2696 wrote to memory of 748	2696	WScript.exe	cmd.exe
PID 2696 wrote to memory of 748	2696	WScript.exe	cmd.exe
PID 2696 wrote to memory of 748	2696	WScript.exe	cmd.exe
PID 748 wrote to memory of 960	748	cmd.exe	attrib.exe
PID 748 wrote to memory of 960	748	cmd.exe	attrib.exe
PID 748 wrote to memory of 960	748	cmd.exe	attrib.exe
PID 748 wrote to memory of 1252	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1252	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 1252	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 2096	748	cmd.exe	brokers.exe
PID 748 wrote to memory of 2096	748	cmd.exe	brokers.exe
PID 748 wrote to memory of 2096	748	cmd.exe	brokers.exe
PID 2096 wrote to memory of 2404	2096	brokers.exe	brokers.exe
PID 2096 wrote to memory of 2404	2096	brokers.exe	brokers.exe
PID 2096 wrote to memory of 2404	2096	brokers.exe	brokers.exe
PID 2096 wrote to memory of 2404	2096	brokers.exe	brokers.exe
PID 2096 wrote to memory of 2404	2096	brokers.exe	brokers.exe
PID 748 wrote to memory of 2568	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 2568	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 2568	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 1516	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 1516	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 1516	748	cmd.exe	taskkill.exe
PID 748 wrote to memory of 2076	748	cmd.exe	attrib.exe
PID 748 wrote to memory of 2076	748	cmd.exe	attrib.exe
PID 748 wrote to memory of 2076	748	cmd.exe	attrib.exe
PID 748 wrote to memory of 2180	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 2180	748	cmd.exe	timeout.exe
PID 748 wrote to memory of 2180	748	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

960 attrib.exe
2076 attrib.exe

pid	process
960	attrib.exe
2076	attrib.exe

C:\Users\Admin\AppData\Local\Temp\907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe
"C:\Users\Admin\AppData\Local\Temp\907876df0427090d4661a0b1dbc1e39c8cef859f7b6872cf2ed1f2fdc1c250f4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\3494350923730973792\IDTV\iptv.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\3494350923730973792\IDTV\mele.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:4060

C:\3494350923730973792\IDTV\consoleNS.exe
"consoleNS.exe" e -pgr87dbiucg99dscujhsjs2178hwhCV packinsl.rar
4⤵
- Executes dropped EXE
PID:3648

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:3872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\3494350923730973792\IDTV\wasp.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\3494350923730973792\IDTV\gogog.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\3494350923730973792"
6⤵
- Views/modifies file attributes
PID:960

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:1252

C:\3494350923730973792\IDTV\brokers.exe
brokers.exe /start
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\3494350923730973792\IDTV\brokers.exe
brokers.exe /start
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im consoleNS.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im consoleNS.exe
6⤵
- Kills process with taskkill
PID:1516

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\3494350923730973792\IDTV"
6⤵
- Views/modifies file attributes
PID:2076

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:2180

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3494350923730973792\IDTV\brokers.exe
MD5
1f3ad5a69ef3fa75a2981ad3c3fac2a0

SHA1
06476fb0b616646cc036863ba86f19c0cbc88aab

SHA256
0bf4c0ad30bb19721533cc77e8af88148c2b095f3618987a158bc9f46d8a0897

SHA512
84619c478fcb98c4bd2ad3ec14a04c3a3dc61482139a1c863743e6ea42077982e2d7af556d7183d04f5b92db42e12366580675890a66059193fd4907fb3f8b8f

Download Submit
C:\3494350923730973792\IDTV\brokers.exe
MD5
1f3ad5a69ef3fa75a2981ad3c3fac2a0

SHA1
06476fb0b616646cc036863ba86f19c0cbc88aab

SHA256
0bf4c0ad30bb19721533cc77e8af88148c2b095f3618987a158bc9f46d8a0897

SHA512
84619c478fcb98c4bd2ad3ec14a04c3a3dc61482139a1c863743e6ea42077982e2d7af556d7183d04f5b92db42e12366580675890a66059193fd4907fb3f8b8f

Download Submit
C:\3494350923730973792\IDTV\brokers.exe
MD5
1f3ad5a69ef3fa75a2981ad3c3fac2a0

SHA1
06476fb0b616646cc036863ba86f19c0cbc88aab

SHA256
0bf4c0ad30bb19721533cc77e8af88148c2b095f3618987a158bc9f46d8a0897

SHA512
84619c478fcb98c4bd2ad3ec14a04c3a3dc61482139a1c863743e6ea42077982e2d7af556d7183d04f5b92db42e12366580675890a66059193fd4907fb3f8b8f

Download Submit
C:\3494350923730973792\IDTV\consoleNS.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\3494350923730973792\IDTV\consoleNS.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\3494350923730973792\IDTV\gogog.bat
MD5
96a32980a1b92f7abefcfc63f3865e5e

SHA1
1fb0193192a2bd3f8be1b721b5e7b8e25e597fb7

SHA256
9e41e2ff3807b52a18ea9af1494ec3621d224beb29b2f56532428e0df6bbbfca

SHA512
f40d347c29f5d6c64fd87ec0117d60dd486ab73afb6493e57e7cdda0fc53137b2c9e2a103b669a0807f167c3d2300c5e90bd0f2c140be50dd1937f9a243e9879

Download Submit
C:\3494350923730973792\IDTV\iptv.vbs
MD5
d9e21e10863fb67375834414a75594c6

SHA1
1b695a94c459c1f36aa842b2b5b2af263b027c96

SHA256
bd0fb8dce5cbe03a3b69820abd7932f9386091ef2a2e89483d322d855ad8b496

SHA512
babf379c22edf91b1556438736da9eaf63fa67228db33c650adabf811a6193bb404fc1d29d21e679310a4cee6a1350ac0fb851379adc656da1bc47ee9fa0e077

Download Submit
C:\3494350923730973792\IDTV\mele.bat
MD5
02be783db43f6976522154de968bc83c

SHA1
2a28d092ae1a828e36a3000d171026a5ec805cc9

SHA256
76a6f9bb90efc738be18807ec0d2a0d9476a461f62f35111c89ca639004f22a6

SHA512
e1f9c378ffddf743d2f76d8c6c06295383e43abe9288f28e04e122ef5b2b325d52f71fc2db2ff0b9d73d7891e9fd5f7911f1843e687f2f48004054f1750c47fc

Download Submit
C:\3494350923730973792\IDTV\pspconsole
MD5
beebd0e0057cf7e66eb6163dd0bd7adb

SHA1
94cd8322db58a5cafcaa1a382cb62cdb919dd2e8

SHA256
1d0a204d716a9c0b2107799d1c19889b9e4d55101ae9ecacdee685e0a156d171

SHA512
37b7c786dd6b1246d7f9ed41c714082dcb544d0f9c31b46895be744ee0c41672f529a2b1d76305e9a56929b8d1f7190a1fa25d38af70f9c51c563104ac567657

Download Submit
C:\3494350923730973792\IDTV\wasp.vbs
MD5
03e99c4c6d3afeacb5faad29c9f69378

SHA1
97e11b7c038cec7cd194f691d502acc45affa580

SHA256
ab3d0bf431c9d524a86401bb040a118f2a5cc816e7b0d6f93fa428cf3374a810

SHA512
ba373eefe15760d89b38360d9e335c653d0e023fc20bb843fb618c12f51ed900ef463a7232f860801cd8e64c462c8e7fc4f23da5d96d6854091d0c5bf9268c0b

Download Submit
memory/748-127-0x0000000000000000-mapping.dmp

Download
memory/960-128-0x0000000000000000-mapping.dmp

Download
memory/1252-129-0x0000000000000000-mapping.dmp

Download
memory/1516-137-0x0000000000000000-mapping.dmp

Download
memory/2076-138-0x0000000000000000-mapping.dmp

Download
memory/2096-130-0x0000000000000000-mapping.dmp

Download
memory/2180-139-0x0000000000000000-mapping.dmp

Download
memory/2404-155-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/2404-142-0x0000000000710000-0x000000000072D000-memory.dmp

Filesize
116KB

Download
memory/2404-134-0x000000000040CD2F-mapping.dmp

Download
memory/2404-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-156-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/2404-152-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2404-157-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/2404-158-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2404-159-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/2404-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-141-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2404-154-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/2404-143-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2404-144-0x00000000021B0000-0x00000000021CB000-memory.dmp

Filesize
108KB

Download
memory/2404-145-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2404-146-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/2404-147-0x0000000004B22000-0x0000000004B23000-memory.dmp

Filesize
4KB

Download
memory/2404-148-0x0000000004B23000-0x0000000004B24000-memory.dmp

Filesize
4KB

Download
memory/2404-149-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2404-150-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/2404-151-0x0000000004B24000-0x0000000004B26000-memory.dmp

Filesize
8KB

Download
memory/2476-114-0x0000000000000000-mapping.dmp

Download
memory/2568-136-0x0000000000000000-mapping.dmp

Download
memory/2696-124-0x0000000000000000-mapping.dmp

Download
memory/2728-117-0x0000000000000000-mapping.dmp

Download
memory/2880-125-0x0000000000000000-mapping.dmp

Download
memory/3648-120-0x0000000000000000-mapping.dmp

Download
memory/3872-122-0x0000000000000000-mapping.dmp

Download
memory/4060-118-0x0000000000000000-mapping.dmp

Download