redline | d10544139ffbcd7ffc09da204db4afcb11d5895e6a6716dbb769dd935adaa700

Analysis

max time kernel
65s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
26-09-2021 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

usfive_20210926-140047.exe
Size

1.1MB
MD5

ee5b41fbd6ee965394116e2e1d5aa5a8
SHA1

70a648ca5622fbc16a96188671c6ba001c49fbf2
SHA256

d10544139ffbcd7ffc09da204db4afcb11d5895e6a6716dbb769dd935adaa700
SHA512

164b6676cc2e4c68fff428450bc9481d2c3698ef3f644f47c5901ca46c46d006c70b4a3496b57eadbf888dbb808ec5598cdfffed30386f6e4f946696886ecdad

Score

10^/10

redline qwe454 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

qwe454

45.140.146.240:42628

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2508-129-0x0000000000390000-0x00000000003B2000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Vai.exe.comVai.exe.comRegAsm.exe

pid process

1336 Vai.exe.com
1708 Vai.exe.com
2508 RegAsm.exe
Loads dropped DLL 1 IoCs

Processes:

usfive_20210926-140047.exe

pid process

644 usfive_20210926-140047.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Vai.exe.com

description pid process target process

PID 1708 set thread context of 2508 1708 Vai.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1548 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

2508 RegAsm.exe
2508 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2508 RegAsm.exe

pid	process
1336	Vai.exe.com
1708	Vai.exe.com
2508	RegAsm.exe

pid	process
644	usfive_20210926-140047.exe

description	pid	process	target process
PID 1708 set thread context of 2508	1708	Vai.exe.com	RegAsm.exe

pid	process
1548	PING.EXE

pid	process
2508	RegAsm.exe
2508	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2508	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

usfive_20210926-140047.execmd.execmd.exeVai.exe.comVai.exe.com

description	pid	process	target process
PID 644 wrote to memory of 912	644	usfive_20210926-140047.exe	cmd.exe
PID 644 wrote to memory of 912	644	usfive_20210926-140047.exe	cmd.exe
PID 644 wrote to memory of 912	644	usfive_20210926-140047.exe	cmd.exe
PID 912 wrote to memory of 1072	912	cmd.exe	cmd.exe
PID 912 wrote to memory of 1072	912	cmd.exe	cmd.exe
PID 912 wrote to memory of 1072	912	cmd.exe	cmd.exe
PID 1072 wrote to memory of 1168	1072	cmd.exe	findstr.exe
PID 1072 wrote to memory of 1168	1072	cmd.exe	findstr.exe
PID 1072 wrote to memory of 1168	1072	cmd.exe	findstr.exe
PID 1072 wrote to memory of 1336	1072	cmd.exe	Vai.exe.com
PID 1072 wrote to memory of 1336	1072	cmd.exe	Vai.exe.com
PID 1072 wrote to memory of 1336	1072	cmd.exe	Vai.exe.com
PID 1072 wrote to memory of 1548	1072	cmd.exe	PING.EXE
PID 1072 wrote to memory of 1548	1072	cmd.exe	PING.EXE
PID 1072 wrote to memory of 1548	1072	cmd.exe	PING.EXE
PID 1336 wrote to memory of 1708	1336	Vai.exe.com	Vai.exe.com
PID 1336 wrote to memory of 1708	1336	Vai.exe.com	Vai.exe.com
PID 1336 wrote to memory of 1708	1336	Vai.exe.com	Vai.exe.com
PID 1708 wrote to memory of 2508	1708	Vai.exe.com	RegAsm.exe
PID 1708 wrote to memory of 2508	1708	Vai.exe.com	RegAsm.exe
PID 1708 wrote to memory of 2508	1708	Vai.exe.com	RegAsm.exe
PID 1708 wrote to memory of 2508	1708	Vai.exe.com	RegAsm.exe
PID 1708 wrote to memory of 2508	1708	Vai.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\usfive_20210926-140047.exe
"C:\Users\Admin\AppData\Local\Temp\usfive_20210926-140047.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c cmd < Che.xlsm
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^AYnrWJykZnSQXrhxrJBDTgJUDeotbFpKxNHOFSXpSFcFooRJfQOCRSbjfEmUBwOzgivpvnOkLaKhSrLclnOGRHTBdcmwarIRResqLH$" Sue.xlsm
4⤵
PID:1168

C:\Users\Admin\AppData\Roaming\Vai.exe.com
Vai.exe.com X
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Roaming\Vai.exe.com
C:\Users\Admin\AppData\Roaming\Vai.exe.com X
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\RegAsm.exe
C:\Users\Admin\AppData\Roaming\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Che.xlsm
MD5
a3c3a061e0598c85cc17b5231385cdb1

SHA1
379e758aabecec0e2b4ef016d0a21a939a8c14f6

SHA256
fcaff0cd994312bc7fb49a433d749658118c01a201a24cf6e54609d3ff6dd39f

SHA512
39b2c7dbf316fd83e5bce31ebc012beba56264222740839d34b975c2391412a6d9ee681813eb306fa9b4e9d9e1e0b254509bb200f34309509d4c6f49f3ef7205

Download Submit
C:\Users\Admin\AppData\Roaming\Dal.xlsm
MD5
fd1ec56817c1734242eb24728c949d8f

SHA1
3f7053f4c4eecb6f5224d00abd975f1c18abf310

SHA256
ef241532605f8a0372fce0903ae9c73784e974ec6d7145d9b9fa67c7e60c6a6f

SHA512
67cf0e3d9782e028753c447431825b71dc9402a21186df8eb86fd6f5f74867bd13450546dde3906afecf304c8468c9703ee0cbc37fcac4d274f711e99530d391

Download Submit
C:\Users\Admin\AppData\Roaming\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Rombo.xlsm
MD5
8836631ad7dad0d12394f4f915bf6b55

SHA1
d449e17f572f02067169423e4550a7650ee0aa93

SHA256
3efc31fa28d31a56777e163371e29eea33986f5e268d56fcc2f795c0834e7e45

SHA512
234b336f95b9e51f07da52c811495163780c85ca341b94538de559cbf157b2d3787242af9923caedbb65a8833e7aed12fcb4ca058173a8188db3cdd069071199

Download Submit
C:\Users\Admin\AppData\Roaming\Sue.xlsm
MD5
0fde1c27838817b17c98a2790b8582e3

SHA1
c90da25d93cf4e35f563c0b5af08eeb099e3cc41

SHA256
420e19a09aea1331f513003d96f8718b9b30596c2ef1e79216cc4baed986b82c

SHA512
a21c2aee6af3e89d5c695656a79c3c30e1d4e5a646ad9288713b105a93dba4018f6449f0984ca0262506f7bf06e2baf9df9d39501e13f990a60dcef8d254cdc3

Download Submit
C:\Users\Admin\AppData\Roaming\Vai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Vai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\X
MD5
8836631ad7dad0d12394f4f915bf6b55

SHA1
d449e17f572f02067169423e4550a7650ee0aa93

SHA256
3efc31fa28d31a56777e163371e29eea33986f5e268d56fcc2f795c0834e7e45

SHA512
234b336f95b9e51f07da52c811495163780c85ca341b94538de559cbf157b2d3787242af9923caedbb65a8833e7aed12fcb4ca058173a8188db3cdd069071199

Download Submit
\Users\Admin\AppData\Local\Temp\nsr81CE.tmp\nsExec.dll
MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
memory/912-115-0x0000000000000000-mapping.dmp

Download
memory/1072-117-0x0000000000000000-mapping.dmp

Download
memory/1168-118-0x0000000000000000-mapping.dmp

Download
memory/1336-121-0x0000000000000000-mapping.dmp

Download
memory/1548-123-0x0000000000000000-mapping.dmp

Download
memory/1708-128-0x00000000015D0000-0x000000000171A000-memory.dmp

Filesize
1.3MB

Download
memory/1708-125-0x0000000000000000-mapping.dmp

Download
memory/2508-138-0x0000000004A80000-0x0000000005086000-memory.dmp

Filesize
6.0MB

Download
memory/2508-140-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/2508-135-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2508-136-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2508-137-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2508-129-0x0000000000390000-0x00000000003B2000-memory.dmp

Filesize
136KB

Download
memory/2508-139-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2508-134-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2508-141-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/2508-142-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2508-143-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/2508-144-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/2508-145-0x00000000067F0000-0x00000000067F1000-memory.dmp

Filesize
4KB

Download
memory/2508-146-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/2508-147-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download