redline | 24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f

Analysis

max time kernel
88s
max time network
149s
platform
windows10_x64
resource
win10-en-20211014
submitted
19-10-2021 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fedf404b97ebf25a2df2b7456bbdd974.exe
Size

1.1MB
MD5

fedf404b97ebf25a2df2b7456bbdd974
SHA1

744eade13828533e7f0fa5c91cd963e88b205402
SHA256

24694773eae47324f59b1521fd5303b3742db8a88e177516ef91f14933e3182f
SHA512

2d103236ed2b104bbe30fa390cfa7658bec4bf83c459723f46f4d2a4eb33c423727818a9ea6804f1eda2badb9f373b3a7eed4dc7255868446bbd109a8c799832

Score

10^/10

redline mew discovery evasion infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

MEW

185.215.113.107:61144

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-142-0x0000000002320000-0x0000000002340000-memory.dmp	family_redline
behavioral2/memory/3212-147-0x0000000002380000-0x000000000239E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

KR0923403904322FT.exepgamer.exepgamer.exe

pid process

2004 KR0923403904322FT.exe
3132 pgamer.exe
3212 pgamer.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

pgamer.exe

description pid process target process

PID 3132 set thread context of 3212 3132 pgamer.exe pgamer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

600 timeout.exe
2944 timeout.exe
2932 timeout.exe
64 timeout.exe
1604 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3632 taskkill.exe
1956 taskkill.exe

pid	process
2004	KR0923403904322FT.exe
3132	pgamer.exe
3212	pgamer.exe

description	pid	process	target process
PID 3132 set thread context of 3212	3132	pgamer.exe	pgamer.exe

pid	process
600	timeout.exe
2944	timeout.exe
2932	timeout.exe
64	timeout.exe
1604	timeout.exe

pid	process
3632	taskkill.exe
1956	taskkill.exe

Modifies registry class 2 IoCs

Processes:

fedf404b97ebf25a2df2b7456bbdd974.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	fedf404b97ebf25a2df2b7456bbdd974.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exepgamer.exe

description pid process

Token: SeDebugPrivilege 3632 taskkill.exe
Token: SeDebugPrivilege 1956 taskkill.exe
Token: SeDebugPrivilege 3212 pgamer.exe

description	pid	process
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	3212	pgamer.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

fedf404b97ebf25a2df2b7456bbdd974.exeWScript.execmd.exeWScript.execmd.exepgamer.exe

description	pid	process	target process
PID 1656 wrote to memory of 4088	1656	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1656 wrote to memory of 4088	1656	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 1656 wrote to memory of 4088	1656	fedf404b97ebf25a2df2b7456bbdd974.exe	WScript.exe
PID 4088 wrote to memory of 3060	4088	WScript.exe	cmd.exe
PID 4088 wrote to memory of 3060	4088	WScript.exe	cmd.exe
PID 4088 wrote to memory of 3060	4088	WScript.exe	cmd.exe
PID 3060 wrote to memory of 600	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 600	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 600	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 2004	3060	cmd.exe	KR0923403904322FT.exe
PID 3060 wrote to memory of 2004	3060	cmd.exe	KR0923403904322FT.exe
PID 3060 wrote to memory of 2004	3060	cmd.exe	KR0923403904322FT.exe
PID 3060 wrote to memory of 2944	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 2944	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 2944	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 652	3060	cmd.exe	WScript.exe
PID 3060 wrote to memory of 652	3060	cmd.exe	WScript.exe
PID 3060 wrote to memory of 652	3060	cmd.exe	WScript.exe
PID 3060 wrote to memory of 2932	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 2932	3060	cmd.exe	timeout.exe
PID 3060 wrote to memory of 2932	3060	cmd.exe	timeout.exe
PID 652 wrote to memory of 1480	652	WScript.exe	cmd.exe
PID 652 wrote to memory of 1480	652	WScript.exe	cmd.exe
PID 652 wrote to memory of 1480	652	WScript.exe	cmd.exe
PID 1480 wrote to memory of 372	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 372	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 372	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 64	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 64	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 64	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 3132	1480	cmd.exe	pgamer.exe
PID 1480 wrote to memory of 3132	1480	cmd.exe	pgamer.exe
PID 1480 wrote to memory of 3132	1480	cmd.exe	pgamer.exe
PID 3132 wrote to memory of 3212	3132	pgamer.exe	pgamer.exe
PID 3132 wrote to memory of 3212	3132	pgamer.exe	pgamer.exe
PID 3132 wrote to memory of 3212	3132	pgamer.exe	pgamer.exe
PID 3132 wrote to memory of 3212	3132	pgamer.exe	pgamer.exe
PID 3132 wrote to memory of 3212	3132	pgamer.exe	pgamer.exe
PID 1480 wrote to memory of 3632	1480	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 3632	1480	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 3632	1480	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 1956	1480	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 1956	1480	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 1956	1480	cmd.exe	taskkill.exe
PID 1480 wrote to memory of 2328	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 2328	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 2328	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 1604	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 1604	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 1604	1480	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2328 attrib.exe
372 attrib.exe

pid	process
2328	attrib.exe
372	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fedf404b97ebf25a2df2b7456bbdd974.exe
"C:\Users\Admin\AppData\Local\Temp\fedf404b97ebf25a2df2b7456bbdd974.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RKL4099023598809324\ok.vbs" /f=CREATE_NO_WINDOW install.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\RKL4099023598809324\un.bat" "
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\timeout.exe
timeout 7
4⤵
- Delays execution with timeout.exe
PID:600

C:\RKL4099023598809324\KR0923403904322FT.exe
"KR0923403904322FT.exe" e -pZXCupcontrolfolders 1qw.rar
4⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\timeout.exe
timeout 6
4⤵
- Delays execution with timeout.exe
PID:2944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RKL4099023598809324\hjkd.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\RKL4099023598809324\S456.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\RKL4099023598809324"
6⤵
- Views/modifies file attributes
PID:372

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:64

C:\RKL4099023598809324\pgamer.exe
pgamer.exe /start
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3132

C:\RKL4099023598809324\pgamer.exe
pgamer.exe /start
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im KR0923403904322FT.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im KR0923403904322FT.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\RKL4099023598809324"
6⤵
- Views/modifies file attributes
PID:2328

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:1604

C:\Windows\SysWOW64\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RKL4099023598809324\1.ico
MD5
5fb78309efe6ffeee40c6d8a7e6ff210

SHA1
a918bd0706bb2a90d15727d6869ffdae84f50549

SHA256
eaf298f9e7b495b8ee19f5595f496d4522c4b027b283acf9df5ac8ceeb182bee

SHA512
588268cbdd30681a5889064520e354cbda17485b771ad3ff5b2779f22effbede19110b600de2d2f3e341865f3963182f919a02b3d2f4759866e247f1ab8c7278

Download Submit
C:\RKL4099023598809324\KR0923403904322FT.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\RKL4099023598809324\KR0923403904322FT.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\RKL4099023598809324\S456.bat
MD5
a97bfce282d0c9561d28f176775da6d3

SHA1
c4a793e54d7e62698b61a975fb1efa692255b494

SHA256
d44244a910c829dfe199f7a15f8ecbe4fb9d9dc250b27e10d9dcc726c3354daa

SHA512
e4e3cce9341276c1fa470a9287c12b9b157e37a30f0adc0cd492be12a775cb373dc7fab5bb394eef02b5d83d177f42d3086bb2390a733bb4619cc816959b46d4

Download Submit
C:\RKL4099023598809324\hjkd.vbs
MD5
f10cc4a30d203a0c9fc627a212fdb068

SHA1
4ef14c8fa3f6ea6be1f7b391564283a769a561e4

SHA256
6dac725bf03e356a205a78edae3209d79cbeea8ba66d9c900f45dd6058ba25ff

SHA512
22347e966e0863ba5189341d20cf8cc61187b835bcc01664a83ea07cdadf10192bc70de81371686ca39757e7a9e8f329272b320d0049877c02e796bddddba366

Download Submit
C:\RKL4099023598809324\ok.vbs
MD5
9b4ac8d30f8ee1e3270a598ff8cfdee0

SHA1
2cb027f9f8fe6a038f70ae15bea6fbc2e851906f

SHA256
2cbd5c56dd3b8d0b9822bfbf09f3fb1205d4ac22e66515eef12df04b3c99f090

SHA512
c359f5c14290799781a955b186b17a99392c77bff78c9db711ad17c836325444242c5baeb6fe9a233bf64ab14ea9dc3e93f71b7a881de8bd8bc06435b05da2d6

Download Submit
C:\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
C:\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
C:\RKL4099023598809324\pgamer.exe
MD5
93c8f50bce4c6ce5e9d481531a917eeb

SHA1
2ca174d68fab060ee9eb40001d559d98ececc977

SHA256
5c7ee0567655c92ec02ecbcb880ddb4b5d9095c23578965121e7359b9c378e52

SHA512
ec968f9030ed6ba332b0bb5d3216fc42905748ce73b2e6899c23a909a3e359f0028547d0a6f8a9ca8cd2943e729a6d236a1740d9170c896c8caf26efde2782b0

Download Submit
C:\RKL4099023598809324\un.bat
MD5
1b639b021bbd10f13f38e1c2b027996f

SHA1
4f788ac98a4d1d018115a5568f9685c3ab5e86dd

SHA256
8070a0ecd7110a3b7cd2a1f03e24873e77bcb50a25e54223ce2b419d556b7404

SHA512
ef1d17e1a4f8a8d38ac558a9f25ddc7bac8ba74a3019770716a9209e4365a763ad6ec77dd81899db0a99b7bb40761ae47aad88ed555301f419f61ac06e48481a

Download Submit
memory/64-130-0x0000000000000000-mapping.dmp

Download
memory/372-129-0x0000000000000000-mapping.dmp

Download
memory/600-119-0x0000000000000000-mapping.dmp

Download
memory/652-125-0x0000000000000000-mapping.dmp

Download
memory/1480-128-0x0000000000000000-mapping.dmp

Download
memory/1604-141-0x0000000000000000-mapping.dmp

Download
memory/1956-138-0x0000000000000000-mapping.dmp

Download
memory/2004-121-0x0000000000000000-mapping.dmp

Download
memory/2328-139-0x0000000000000000-mapping.dmp

Download
memory/2932-126-0x0000000000000000-mapping.dmp

Download
memory/2944-123-0x0000000000000000-mapping.dmp

Download
memory/3060-118-0x0000000000000000-mapping.dmp

Download
memory/3132-131-0x0000000000000000-mapping.dmp

Download
memory/3212-148-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3212-149-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3212-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-135-0x000000000040CD2F-mapping.dmp

Download
memory/3212-142-0x0000000002320000-0x0000000002340000-memory.dmp

Filesize
128KB

Download
memory/3212-143-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3212-145-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/3212-144-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3212-146-0x0000000004A93000-0x0000000004A94000-memory.dmp

Filesize
4KB

Download
memory/3212-147-0x0000000002380000-0x000000000239E000-memory.dmp

Filesize
120KB

Download
memory/3212-160-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/3212-159-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/3212-150-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3212-151-0x0000000004A94000-0x0000000004A96000-memory.dmp

Filesize
8KB

Download
memory/3212-152-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3212-153-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3212-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3212-155-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/3212-156-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/3212-157-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/3212-158-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/3632-137-0x0000000000000000-mapping.dmp

Download
memory/4088-115-0x0000000000000000-mapping.dmp

Download