redline | 24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-en-20210920
submitted
19-10-2021 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fedf404b97ebf25a2df2b7456bbdd974.exe
Size

1.1MB
MD5

fedf404b97ebf25a2df2b7456bbdd974
SHA1

744eade13828533e7f0fa5c91cd963e88b205402
SHA256

24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f
SHA512

2d103236ed2b104bbe30fa390cfa7658bec4bf83c459723f46f4d2a4eb33c423727818a9ea6804f1eda2badb9f373b3a7eed4dc7255868446bbd109a8c799832

Score

10^/10

redline mew discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

MEW

185.215.113.107:61144

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/328-98-0x0000000001DF0000-0x0000000001E10000-memory.dmp	family_redline
behavioral1/memory/328-99-0x0000000001EA0000-0x0000000001EBE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

KR0923403904322FT.exepgamer.exepgamer.exe

pid process

1308 KR0923403904322FT.exe
988 pgamer.exe
328 pgamer.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exepgamer.exe

pid process

332 cmd.exe
1756 cmd.exe
1756 cmd.exe
988 pgamer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

pgamer.exe

description pid process target process

PID 988 set thread context of 328 988 pgamer.exe pgamer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

824 timeout.exe
1708 timeout.exe
856 timeout.exe
960 timeout.exe
952 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1772 taskkill.exe
888 taskkill.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exepgamer.exe

description pid process

Token: SeDebugPrivilege 1772 taskkill.exe
Token: SeDebugPrivilege 888 taskkill.exe
Token: SeDebugPrivilege 328 pgamer.exe

pid	process
1308	KR0923403904322FT.exe
988	pgamer.exe
328	pgamer.exe

pid	process
332	cmd.exe
1756	cmd.exe
1756	cmd.exe
988	pgamer.exe

description	pid	process	target process
PID 988 set thread context of 328	988	pgamer.exe	pgamer.exe

pid	process
824	timeout.exe
1708	timeout.exe
856	timeout.exe
960	timeout.exe
952	timeout.exe

pid	process
1772	taskkill.exe
888	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	328	pgamer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fedf404b97ebf25a2df2b7456bbdd974.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1768 wrote to memory of 1640	1768	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 1640 wrote to memory of 332	1640	WScript.exe	cmd.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 856	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 1308	332	cmd.exe	KR0923403904322FT.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 960	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 396	332	cmd.exe	WScript.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 332 wrote to memory of 952	332	cmd.exe	timeout.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 396 wrote to memory of 1756	396	WScript.exe	cmd.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 1584	1756	cmd.exe	attrib.exe
PID 1756 wrote to memory of 824	1756	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1584 attrib.exe
1192 attrib.exe

pid	process
1584	attrib.exe
1192	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fedf404b97ebf25a2df2b7456bbdd974.exe
"C:\Users\Admin\AppData\Local\Temp\fedf404b97ebf25a2df2b7456bbdd974.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RKL4099023598809324\ok.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\RKL4099023598809324\un.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:856

C:\RKL4099023598809324\KR0923403904322FT.exe
"KR0923403904322FT.exe" e -pZXCupcontrolfolders 1qw.rar
4⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RKL4099023598809324\hjkd.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\RKL4099023598809324\S456.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\RKL4099023598809324"
6⤵
- Views/modifies file attributes
PID:1584

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:824

C:\RKL4099023598809324\pgamer.exe
pgamer.exe /start
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:988

C:\RKL4099023598809324\pgamer.exe
pgamer.exe /start
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im KR0923403904322FT.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im KR0923403904322FT.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\RKL4099023598809324"
6⤵
- Views/modifies file attributes
PID:1192

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:1708

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RKL4099023598809324\1.ico
MD5
5fb78309efe6ffeee40c6d8a7e6ff210

SHA1
a918bd0706bb2a90d15727d6869ffdae84f50549

SHA256
eaf298f9e7b495b8ee19f5595f496d4522c4b027b283acf9df5ac8ceeb182bee

SHA512
588268cbdd30681a5889064520e354cbda17485b771ad3ff5b2779f22effbede19110b600de2d2f3e341865f3963182f919a02b3d2f4759866e247f1ab8c7278

Download Submit
C:\RKL4099023598809324\KR0923403904322FT.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\RKL4099023598809324\KR0923403904322FT.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\RKL4099023598809324\S456.bat
MD5
a97bfce282d0c9561d28f176775da6d3

SHA1
c4a793e54d7e62698b61a975fb1efa692255b494

SHA256
d44244a910c829dfe199f7a15f8ecbe4fb9d9dc250b27e10d9dcc726c3354daa

SHA512
e4e3cce9341276c1fa470a9287c12b9b157e37a30f0adc0cd492be12a775cb373dc7fab5bb394eef02b5d83d177f42d3086bb2390a733bb4619cc816959b46d4

Download Submit
C:\RKL4099023598809324\hjkd.vbs
MD5
f10cc4a30d203a0c9fc627a212fdb068

SHA1
4ef14c8fa3f6ea6be1f7b391564283a769a561e4

SHA256
6dac725bf03e356a205a78edae3209d79cbeea8ba66d9c900f45dd6058ba25ff

SHA512
22347e966e0863ba5189341d20cf8cc61187b835bcc01664a83ea07cdadf10192bc70de81371686ca39757e7a9e8f329272b320d0049877c02e796bddddba366

Download Submit
C:\RKL4099023598809324\ok.vbs
MD5
9b4ac8d30f8ee1e3270a598ff8cfdee0

SHA1
2cb027f9f8fe6a038f70ae15bea6fbc2e851906f

SHA256
2cbd5c56dd3b8d0b9822bfbf09f3fb1205d4ac22e66515eef12df04b3c99f090

SHA512
c359f5c14290799781a955b186b17a99392c77bff78c9db711ad17c836325444242c5baeb6fe9a233bf64ab14ea9dc3e93f71b7a881de8bd8bc06435b05da2d6

Download Submit
C:\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
C:\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
C:\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
C:\RKL4099023598809324\un.bat
MD5
1b639b021bbd10f13f38e1c2b027996f

SHA1
4f788ac98a4d1d018115a5568f9685c3ab5e86dd

SHA256
8070a0ecd7110a3b7cd2a1f03e24873e77bcb50a25e54223ce2b419d556b7404

SHA512
ef1d17e1a4f8a8d38ac558a9f25ddc7bac8ba74a3019770716a9209e4365a763ad6ec77dd81899db0a99b7bb40761ae47aad88ed555301f419f61ac06e48481a

Download Submit
\RKL4099023598809324\KR0923403904322FT.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
memory/328-98-0x0000000001DF0000-0x0000000001E10000-memory.dmp

Filesize
128KB

Download
memory/328-91-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-109-0x0000000002714000-0x0000000002716000-memory.dmp

Filesize
8KB

Download
memory/328-107-0x0000000002713000-0x0000000002714000-memory.dmp

Filesize
4KB

Download
memory/328-106-0x0000000002712000-0x0000000002713000-memory.dmp

Filesize
4KB

Download
memory/328-104-0x0000000002711000-0x0000000002712000-memory.dmp

Filesize
4KB

Download
memory/328-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-99-0x0000000001EA0000-0x0000000001EBE000-memory.dmp

Filesize
120KB

Download
memory/328-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-92-0x000000000040CD2F-mapping.dmp

Download
memory/328-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/332-59-0x0000000000000000-mapping.dmp

Download
memory/396-72-0x0000000000000000-mapping.dmp

Download
memory/824-81-0x0000000000000000-mapping.dmp

Download
memory/856-61-0x0000000000000000-mapping.dmp

Download
memory/888-100-0x0000000000000000-mapping.dmp

Download
memory/952-73-0x0000000000000000-mapping.dmp

Download
memory/960-69-0x0000000000000000-mapping.dmp

Download
memory/988-86-0x0000000000000000-mapping.dmp

Download
memory/1192-102-0x0000000000000000-mapping.dmp

Download
memory/1308-66-0x0000000000000000-mapping.dmp

Download
memory/1584-79-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download
memory/1708-108-0x0000000000000000-mapping.dmp

Download
memory/1756-77-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download
memory/1772-94-0x0000000000000000-mapping.dmp

Download