redline | 8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379

Analysis

max time kernel
115s
max time network
121s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri192c305b4a.exe
Size

1.5MB
MD5

b9d6fa9af107c8f185fa981e9365a3ec
SHA1

77b4459537959d478a4dc9ba64c80d44a278f679
SHA256

37b758e9d8ac0212bde2acff6c6a1d53f0bfcc202f2d129a7ee4e0a4dcac3770
SHA512

a9c631b58686dd0b86c95046709d667fae31dddd7a74b62235840d67d2aa4b2ce1cdc235f87d151c880137ee7d69cb934dc6239aada7de9b532b331b9e54b090

Score

10^/10

redline jane06 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

jane06

94.103.94.214:29899

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral10/memory/3244-144-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

tmp96E6_tmp.exeAdorarti.exe.comAdorarti.exe.comRegAsm.exe

pid process

1224 tmp96E6_tmp.exe
2192 Adorarti.exe.com
3944 Adorarti.exe.com
3244 RegAsm.exe
Drops startup file 1 IoCs

Processes:

Adorarti.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNQSsdFJvw.url Adorarti.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1224	tmp96E6_tmp.exe
2192	Adorarti.exe.com
3944	Adorarti.exe.com
3244	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNQSsdFJvw.url	Adorarti.exe.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp96E6_tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp96E6_tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp96E6_tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Adorarti.exe.com

description pid process target process

PID 3944 set thread context of 3244 3944 Adorarti.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2372 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

3244 RegAsm.exe
3244 RegAsm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Adorarti.exe.com

pid process

3944 Adorarti.exe.com
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Fri192c305b4a.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 652 Fri192c305b4a.exe
Token: SeDebugPrivilege 3244 RegAsm.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Adorarti.exe.comAdorarti.exe.com

pid process

2192 Adorarti.exe.com
2192 Adorarti.exe.com
2192 Adorarti.exe.com
3944 Adorarti.exe.com
3944 Adorarti.exe.com
3944 Adorarti.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Adorarti.exe.comAdorarti.exe.com

pid process

2192 Adorarti.exe.com
2192 Adorarti.exe.com
2192 Adorarti.exe.com
3944 Adorarti.exe.com
3944 Adorarti.exe.com
3944 Adorarti.exe.com

description	pid	process	target process
PID 3944 set thread context of 3244	3944	Adorarti.exe.com	RegAsm.exe

pid	process
2372	PING.EXE

pid	process
3244	RegAsm.exe
3244	RegAsm.exe

pid	process
3944	Adorarti.exe.com

description	pid	process
Token: SeDebugPrivilege	652	Fri192c305b4a.exe
Token: SeDebugPrivilege	3244	RegAsm.exe

pid	process
2192	Adorarti.exe.com
2192	Adorarti.exe.com
2192	Adorarti.exe.com
3944	Adorarti.exe.com
3944	Adorarti.exe.com
3944	Adorarti.exe.com

pid	process
2192	Adorarti.exe.com
2192	Adorarti.exe.com
2192	Adorarti.exe.com
3944	Adorarti.exe.com
3944	Adorarti.exe.com
3944	Adorarti.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Fri192c305b4a.exetmp96E6_tmp.execmd.execmd.exeAdorarti.exe.comAdorarti.exe.com

description	pid	process	target process
PID 652 wrote to memory of 1224	652	Fri192c305b4a.exe	tmp96E6_tmp.exe
PID 652 wrote to memory of 1224	652	Fri192c305b4a.exe	tmp96E6_tmp.exe
PID 652 wrote to memory of 1224	652	Fri192c305b4a.exe	tmp96E6_tmp.exe
PID 1224 wrote to memory of 1476	1224	tmp96E6_tmp.exe	dllhost.exe
PID 1224 wrote to memory of 1476	1224	tmp96E6_tmp.exe	dllhost.exe
PID 1224 wrote to memory of 1476	1224	tmp96E6_tmp.exe	dllhost.exe
PID 1224 wrote to memory of 1588	1224	tmp96E6_tmp.exe	cmd.exe
PID 1224 wrote to memory of 1588	1224	tmp96E6_tmp.exe	cmd.exe
PID 1224 wrote to memory of 1588	1224	tmp96E6_tmp.exe	cmd.exe
PID 1588 wrote to memory of 1824	1588	cmd.exe	cmd.exe
PID 1588 wrote to memory of 1824	1588	cmd.exe	cmd.exe
PID 1588 wrote to memory of 1824	1588	cmd.exe	cmd.exe
PID 1824 wrote to memory of 2004	1824	cmd.exe	findstr.exe
PID 1824 wrote to memory of 2004	1824	cmd.exe	findstr.exe
PID 1824 wrote to memory of 2004	1824	cmd.exe	findstr.exe
PID 1824 wrote to memory of 2192	1824	cmd.exe	Adorarti.exe.com
PID 1824 wrote to memory of 2192	1824	cmd.exe	Adorarti.exe.com
PID 1824 wrote to memory of 2192	1824	cmd.exe	Adorarti.exe.com
PID 1824 wrote to memory of 2372	1824	cmd.exe	PING.EXE
PID 1824 wrote to memory of 2372	1824	cmd.exe	PING.EXE
PID 1824 wrote to memory of 2372	1824	cmd.exe	PING.EXE
PID 2192 wrote to memory of 3944	2192	Adorarti.exe.com	Adorarti.exe.com
PID 2192 wrote to memory of 3944	2192	Adorarti.exe.com	Adorarti.exe.com
PID 2192 wrote to memory of 3944	2192	Adorarti.exe.com	Adorarti.exe.com
PID 3944 wrote to memory of 3244	3944	Adorarti.exe.com	RegAsm.exe
PID 3944 wrote to memory of 3244	3944	Adorarti.exe.com	RegAsm.exe
PID 3944 wrote to memory of 3244	3944	Adorarti.exe.com	RegAsm.exe
PID 3944 wrote to memory of 3244	3944	Adorarti.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Fri192c305b4a.exe
"C:\Users\Admin\AppData\Local\Temp\Fri192c305b4a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\tmp96E6_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp96E6_tmp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
3⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Attesa.wmv
3⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv
5⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
Adorarti.exe.com u
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
6⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\PING.EXE
ping localhost
5⤵
- Runs ping.exe
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Attesa.wmv
MD5
1708e123cef16c0ebc0ec0a74c3abc7e

SHA1
e02fb9b5ffe06ef360142ec1316b301f42efef6b

SHA256
0d9b3b98f58a4630a86fd32ea957f262ecab5b4a523ff5adb326d451c726da43

SHA512
3927ea2be312aad9fd27e511bf9a94c8411d65359352c2369df803412a47101ef4fab7e636e79c7e11a5d8ce90aab617f4c115dd8c86b234d396dafb3581af57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Braccio.wmv
MD5
21ee2a7d988d7196cccef916a8018f17

SHA1
984bbf626cc76a6ec66fd577a7aee86320416658

SHA256
8308b0b408c1b46ccc7e11d4644dd6f07bf8f250c500259953650ee62bd8996c

SHA512
734df8c648cc1e740da42672344b4f4a5e0f9b145147a9f7640d783843194665d1c38b08394b029d6a1080817ff481198bb60d26c0fbded83325c19420d18902

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mia.wmv
MD5
0e03032f9ce2cd8d30fc7c03e8b1b6f4

SHA1
17a4b85fa589a1c2326b38d1ff12b76ffb9ef460

SHA256
54d9b0a0221a365c4ed91d5ac1115aebc6e4bd64326f4451b0c2791597d74fc8

SHA512
7bb0bed2f2579bf55f5232d3884fa5592239e077be0726f79bf95b3f5adae0fe8e714144e4da0d18cef4d69b540f64502e3c5e22d67d4633d354822a739ad73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rarissima.wmv
MD5
e041fcbeb695c33065f08fbefc998a48

SHA1
a3d68dfbd5516aba8b053b8da960df5af3672ed3

SHA256
e7641802859a938e433e93aeb4490996b8a02365100bb541f03a84961c9e612a

SHA512
0e54dba0d808ea9590ad365ad10ec3ef77ca04a3cb85022525013ba2208b12df3c4eb6a2bff950aab501bfa5488ade7db5057ec45e9511990bfb249c4e855569

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u
MD5
e041fcbeb695c33065f08fbefc998a48

SHA1
a3d68dfbd5516aba8b053b8da960df5af3672ed3

SHA256
e7641802859a938e433e93aeb4490996b8a02365100bb541f03a84961c9e612a

SHA512
0e54dba0d808ea9590ad365ad10ec3ef77ca04a3cb85022525013ba2208b12df3c4eb6a2bff950aab501bfa5488ade7db5057ec45e9511990bfb249c4e855569

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96E6_tmp.exe
MD5
7d0957ec9f3546557c71d4ea7bf04038

SHA1
3a581680722106c65de14212f05ee9f14a5c7a46

SHA256
52b103a31f03ba940cf56a290837c3686b264f772e11628e87f631945987c37d

SHA512
550cf795257570cce06c31d153634ea5ab887c64db098ad1fe91f1a7410acc2ff8e52f011cdbf3215dcb0b70c585fb50b9b01a8db003230fdbd41cf6f1195ab4

Download Submit
memory/652-118-0x0000025BA00F0000-0x0000025BA016E000-memory.dmp

Filesize
504KB

Download
memory/652-120-0x0000025B9D1A5000-0x0000025B9D1A7000-memory.dmp

Filesize
8KB

Download
memory/652-121-0x0000025B9D1A4000-0x0000025B9D1A5000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x0000025B9D1A2000-0x0000025B9D1A4000-memory.dmp

Filesize
8KB

Download
memory/652-116-0x0000025B9D1A0000-0x0000025B9D1A2000-memory.dmp

Filesize
8KB

Download
memory/652-114-0x0000025B82A20000-0x0000025B82A21000-memory.dmp

Filesize
4KB

Download
memory/652-117-0x0000025B82E90000-0x0000025B82E9B000-memory.dmp

Filesize
44KB

Download
memory/1224-122-0x0000000000000000-mapping.dmp

Download
memory/1476-124-0x0000000000000000-mapping.dmp

Download
memory/1588-125-0x0000000000000000-mapping.dmp

Download
memory/1824-127-0x0000000000000000-mapping.dmp

Download
memory/2004-128-0x0000000000000000-mapping.dmp

Download
memory/2192-131-0x0000000000000000-mapping.dmp

Download
memory/2372-133-0x0000000000000000-mapping.dmp

Download
memory/3244-158-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/3244-150-0x0000000005040000-0x0000000005646000-memory.dmp

Filesize
6.0MB

Download
memory/3244-159-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/3244-139-0x000000000041C5DA-mapping.dmp

Download
memory/3244-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3244-146-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/3244-147-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3244-148-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3244-149-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3244-157-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3244-151-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/3244-152-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/3244-153-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3244-154-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/3244-155-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3244-156-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3944-135-0x0000000000000000-mapping.dmp

Download
memory/3944-142-0x0000000000C00000-0x0000000000D4A000-memory.dmp

Filesize
1.3MB

Download
memory/3944-143-0x0000000000C00000-0x0000000000D4A000-memory.dmp

Filesize
1.3MB

Download