c2e07c268efe3d9967a8af7933a22188b928bae9a86bb0177a401ed0a7979657

General

Target

Redline Stealer 2021 Cracked/Redline_20_2_crack.exe
Size

15.1MB
MD5

083776e54ad37b3a45d7e6516b1e13fb
SHA1

e784e8f041dfb7612e8439518ed587f1f878b9eb
SHA256

4334163e03a3cae86600be22c3deb8e786142db27883cc99f0536f713621df9d
SHA512

0985538bf8c2add2e85ac09e64826e0993fae2b1b4e7643a42f010201e4e8f2065f673a795aa4eabf7bee26709f35fbc84553042f40ce3a2fde96a271c43590c

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Redline_20_2_crack.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Redline_20_2_crack.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Redline_20_2_crack.exe

Drops file in System32 directory 4 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

Redline_20_2_crack.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CpMRU	Redline_20_2_crack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	Redline_20_2_crack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	Redline_20_2_crack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	Redline_20_2_crack.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	Redline_20_2_crack.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Redline_20_2_crack.exeOfficeC2RClient.exe

pid process

3796 Redline_20_2_crack.exe
3796 Redline_20_2_crack.exe
2220 OfficeC2RClient.exe

pid	process
3796	Redline_20_2_crack.exe
3796	Redline_20_2_crack.exe
2220	OfficeC2RClient.exe

C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Redline Stealer 2021 Cracked\Redline_20_2_crack.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:2168

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads