redline | 909aaea4a3072305c0bcaab9d7b9cab70990305541db276ab8d870e3fbc51a18

Analysis

max time kernel
300s
max time network
329s
platform
windows10_x64
resource
win10v20210408
submitted
23-08-2021 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ma_5nZD3yos0uV8jzHnJSVxT.exe
Size

163KB
MD5

ec3921304077e2ac56d2f5060adab3d5
SHA1

923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256

b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA512

3796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28

Score

10^/10

redline discovery infostealer persistence spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral20/memory/3192-141-0x0000000005750000-0x0000000005782000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

2185864.exe6704730.exe5728157.exe3695137.exeWinHoster.exe

pid process

2764 2185864.exe
3476 6704730.exe
3192 5728157.exe
2580 3695137.exe
3908 WinHoster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6704730.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6704730.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3820 2764 WerFault.exe 2185864.exe
1336 2580 WerFault.exe 3695137.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

pid	pid_target	process	target process
3820	2764	WerFault.exe	2185864.exe
1336	2580	WerFault.exe	3695137.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

2185864.exe3695137.exeWerFault.exeWerFault.exe5728157.exe

pid	process
2764	2185864.exe
2580	3695137.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
3820	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
3192	5728157.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ma_5nZD3yos0uV8jzHnJSVxT.exe2185864.exe3695137.exe5728157.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe
Token: SeDebugPrivilege	2764	2185864.exe
Token: SeDebugPrivilege	2580	3695137.exe
Token: SeDebugPrivilege	3192	5728157.exe
Token: SeDebugPrivilege	3820	WerFault.exe
Token: SeRestorePrivilege	1336	WerFault.exe
Token: SeBackupPrivilege	1336	WerFault.exe
Token: SeBackupPrivilege	1336	WerFault.exe
Token: SeDebugPrivilege	1336	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ma_5nZD3yos0uV8jzHnJSVxT.exe6704730.exe

description	pid	process	target process
PID 2988 wrote to memory of 2764	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	2185864.exe
PID 2988 wrote to memory of 2764	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	2185864.exe
PID 2988 wrote to memory of 3476	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	6704730.exe
PID 2988 wrote to memory of 3476	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	6704730.exe
PID 2988 wrote to memory of 3476	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	6704730.exe
PID 2988 wrote to memory of 3192	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	5728157.exe
PID 2988 wrote to memory of 3192	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	5728157.exe
PID 2988 wrote to memory of 3192	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	5728157.exe
PID 2988 wrote to memory of 2580	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	3695137.exe
PID 2988 wrote to memory of 2580	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	3695137.exe
PID 2988 wrote to memory of 2580	2988	ma_5nZD3yos0uV8jzHnJSVxT.exe	3695137.exe
PID 3476 wrote to memory of 3908	3476	6704730.exe	WinHoster.exe
PID 3476 wrote to memory of 3908	3476	6704730.exe	WinHoster.exe
PID 3476 wrote to memory of 3908	3476	6704730.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\ma_5nZD3yos0uV8jzHnJSVxT.exe
"C:\Users\Admin\AppData\Local\Temp\ma_5nZD3yos0uV8jzHnJSVxT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\2185864.exe
"C:\Users\Admin\AppData\Roaming\2185864.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2764 -s 2116
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Users\Admin\AppData\Roaming\6704730.exe
"C:\Users\Admin\AppData\Roaming\6704730.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\AppData\Roaming\5728157.exe
"C:\Users\Admin\AppData\Roaming\5728157.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Users\Admin\AppData\Roaming\3695137.exe
"C:\Users\Admin\AppData\Roaming\3695137.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 2180
3⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2185864.exe
MD5
724252e8cc86d50db3dd965a744188c0

SHA1
4f96e366267aa778d2f6b11bc35e5aca518a6c30

SHA256
786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff

SHA512
3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91

Download Submit
C:\Users\Admin\AppData\Roaming\2185864.exe
MD5
724252e8cc86d50db3dd965a744188c0

SHA1
4f96e366267aa778d2f6b11bc35e5aca518a6c30

SHA256
786bcc1e15c4c6c7a37ac4908c5991d5589b6d04c74070c0f083287fc74782ff

SHA512
3443a8230f77555e1c101a6b9a91d6695a45ff1cc5a503cb14ba0b87cefc8a58ab7e3d96df344f2df043fd285bc235e81dae51a8c6317d9262c519f945dd7a91

Download Submit
C:\Users\Admin\AppData\Roaming\3695137.exe
MD5
f194d7ae32b3bb8d9cb2e568ea60e962

SHA1
2e96571159c632c6782c4af0c598d838e856ae0b

SHA256
88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221

SHA512
fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691

Download Submit
C:\Users\Admin\AppData\Roaming\3695137.exe
MD5
f194d7ae32b3bb8d9cb2e568ea60e962

SHA1
2e96571159c632c6782c4af0c598d838e856ae0b

SHA256
88184a929722705ecf5fd0631703e8b11f20a7a3145d2d94c18401cdb63d4221

SHA512
fbdc1c143d84f2fbbe688a3b26cf3258e127f99a56632f995e8e435c0143b71cfb8b45fd272ba8d40363908fb7b547fad55a289f449fc0bd568fc0c021044691

Download Submit
C:\Users\Admin\AppData\Roaming\5728157.exe
MD5
820b27e48dac554a246970c5dfefd5ce

SHA1
02c7a5d427d043f063e706933cfd993258a58c9c

SHA256
01e36e0ee266f5726c5e7d2eb01537cce145836e115c3629b7ca1f61fd2ee709

SHA512
0c0fafb33829db45737ef0b552c3326bc11f199fdf789f528f3990ff8b61a55d83a8658689a30f3422cf02ffa488feea8252ca6a169a7d5f9a27e119846cff04

Download Submit
C:\Users\Admin\AppData\Roaming\5728157.exe
MD5
820b27e48dac554a246970c5dfefd5ce

SHA1
02c7a5d427d043f063e706933cfd993258a58c9c

SHA256
01e36e0ee266f5726c5e7d2eb01537cce145836e115c3629b7ca1f61fd2ee709

SHA512
0c0fafb33829db45737ef0b552c3326bc11f199fdf789f528f3990ff8b61a55d83a8658689a30f3422cf02ffa488feea8252ca6a169a7d5f9a27e119846cff04

Download Submit
C:\Users\Admin\AppData\Roaming\6704730.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\6704730.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
memory/2580-169-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2580-162-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2580-134-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2580-145-0x000000000A240000-0x000000000A26D000-memory.dmp

Filesize
180KB

Download
memory/2580-129-0x0000000000000000-mapping.dmp

Download
memory/2580-151-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2580-140-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2580-148-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2764-121-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2764-128-0x0000000002F70000-0x0000000002FBA000-memory.dmp

Filesize
296KB

Download
memory/2764-125-0x0000000001550000-0x0000000001552000-memory.dmp

Filesize
8KB

Download
memory/2764-118-0x0000000000000000-mapping.dmp

Download
memory/2988-114-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2988-117-0x0000000001640000-0x0000000001642000-memory.dmp

Filesize
8KB

Download
memory/2988-116-0x0000000001650000-0x000000000166C000-memory.dmp

Filesize
112KB

Download
memory/3192-141-0x0000000005750000-0x0000000005782000-memory.dmp

Filesize
200KB

Download
memory/3192-167-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/3192-146-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/3192-147-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/3192-174-0x0000000009E80000-0x0000000009E81000-memory.dmp

Filesize
4KB

Download
memory/3192-149-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3192-150-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/3192-172-0x0000000009DF0000-0x0000000009DF1000-memory.dmp

Filesize
4KB

Download
memory/3192-152-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3192-153-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/3192-168-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/3192-126-0x0000000000000000-mapping.dmp

Download
memory/3192-136-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3476-135-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3476-144-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3476-123-0x0000000000000000-mapping.dmp

Download
memory/3476-142-0x0000000001090000-0x0000000001096000-memory.dmp

Filesize
24KB

Download
memory/3476-143-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/3908-163-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/3908-164-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3908-154-0x0000000000000000-mapping.dmp

Download