redline | d24b5d75e56e99a246697efda3cf47ff9f1b841aaabb06f987804c02e83f5e0a

Analysis

max time kernel
111s
max time network
125s
platform
windows10_x64
resource
win10-en-20211014
submitted
23-10-2021 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a02438d946903f95bd9f706ad0776c86.exe
Size

72KB
MD5

a02438d946903f95bd9f706ad0776c86
SHA1

d4b9470f0d24d94e3d327a456cb98fddd8fe61b4
SHA256

d24b5d75e56e99a246697efda3cf47ff9f1b841aaabb06f987804c02e83f5e0a
SHA512

b4301d4ea11f58bb8d6aae4326838ecbb558b485973e6d52553902a1d2a64217f69956a61470a7956513db904ffd2b1fc8ee55386cc02a4895e758d978ce52b4

Score

10^/10

redline discovery infostealer persistence spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2164-132-0x0000000003000000-0x0000000003024000-memory.dmp	family_redline
behavioral2/memory/3940-143-0x0000000005650000-0x0000000005683000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

5772426.exe7998366.exe8439207.exe5870837.exe3772992.exeWinHoster.exe

pid process

2120 5772426.exe
2164 7998366.exe
3940 8439207.exe
684 5870837.exe
600 3772992.exe
4044 WinHoster.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2120	5772426.exe
2164	7998366.exe
3940	8439207.exe
684	5870837.exe
600	3772992.exe
4044	WinHoster.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5870837.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5870837.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 wtfismyip.com
37 wtfismyip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

5772426.exe3772992.exe8439207.exe

pid process

2120 5772426.exe
600 3772992.exe
2120 5772426.exe
600 3772992.exe
3940 8439207.exe

flow	ioc
36	wtfismyip.com
37	wtfismyip.com

pid	process
2120	5772426.exe
600	3772992.exe
2120	5772426.exe
600	3772992.exe
3940	8439207.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a02438d946903f95bd9f706ad0776c86.exe5772426.exe3772992.exe7998366.exe8439207.exe

description	pid	process
Token: SeDebugPrivilege	2272	a02438d946903f95bd9f706ad0776c86.exe
Token: SeDebugPrivilege	2120	5772426.exe
Token: SeDebugPrivilege	600	3772992.exe
Token: SeDebugPrivilege	2164	7998366.exe
Token: SeDebugPrivilege	3940	8439207.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a02438d946903f95bd9f706ad0776c86.exe5870837.exe

description	pid	process	target process
PID 2272 wrote to memory of 2120	2272	a02438d946903f95bd9f706ad0776c86.exe	5772426.exe
PID 2272 wrote to memory of 2120	2272	a02438d946903f95bd9f706ad0776c86.exe	5772426.exe
PID 2272 wrote to memory of 2120	2272	a02438d946903f95bd9f706ad0776c86.exe	5772426.exe
PID 2272 wrote to memory of 2164	2272	a02438d946903f95bd9f706ad0776c86.exe	7998366.exe
PID 2272 wrote to memory of 2164	2272	a02438d946903f95bd9f706ad0776c86.exe	7998366.exe
PID 2272 wrote to memory of 2164	2272	a02438d946903f95bd9f706ad0776c86.exe	7998366.exe
PID 2272 wrote to memory of 3940	2272	a02438d946903f95bd9f706ad0776c86.exe	8439207.exe
PID 2272 wrote to memory of 3940	2272	a02438d946903f95bd9f706ad0776c86.exe	8439207.exe
PID 2272 wrote to memory of 3940	2272	a02438d946903f95bd9f706ad0776c86.exe	8439207.exe
PID 2272 wrote to memory of 684	2272	a02438d946903f95bd9f706ad0776c86.exe	5870837.exe
PID 2272 wrote to memory of 684	2272	a02438d946903f95bd9f706ad0776c86.exe	5870837.exe
PID 2272 wrote to memory of 684	2272	a02438d946903f95bd9f706ad0776c86.exe	5870837.exe
PID 2272 wrote to memory of 600	2272	a02438d946903f95bd9f706ad0776c86.exe	3772992.exe
PID 2272 wrote to memory of 600	2272	a02438d946903f95bd9f706ad0776c86.exe	3772992.exe
PID 2272 wrote to memory of 600	2272	a02438d946903f95bd9f706ad0776c86.exe	3772992.exe
PID 684 wrote to memory of 4044	684	5870837.exe	WinHoster.exe
PID 684 wrote to memory of 4044	684	5870837.exe	WinHoster.exe
PID 684 wrote to memory of 4044	684	5870837.exe	WinHoster.exe

C:\Users\Admin\AppData\Local\Temp\a02438d946903f95bd9f706ad0776c86.exe
"C:\Users\Admin\AppData\Local\Temp\a02438d946903f95bd9f706ad0776c86.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Roaming\5772426.exe
"C:\Users\Admin\AppData\Roaming\5772426.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Roaming\7998366.exe
"C:\Users\Admin\AppData\Roaming\7998366.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Users\Admin\AppData\Roaming\8439207.exe
"C:\Users\Admin\AppData\Roaming\8439207.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Roaming\5870837.exe
"C:\Users\Admin\AppData\Roaming\5870837.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
3⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\AppData\Roaming\3772992.exe
"C:\Users\Admin\AppData\Roaming\3772992.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3772992.exe
MD5
d4afd6e583d54a75f39bf4934b99c684

SHA1
c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

SHA256
0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

SHA512
87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

Download Submit
C:\Users\Admin\AppData\Roaming\3772992.exe
MD5
d4afd6e583d54a75f39bf4934b99c684

SHA1
c9262e240a4a503d426b47b90c7b6fe6ed8bed9e

SHA256
0dca699c7d1729954372be2fe70f5da34521de4aa0e5b504a0f6a1c27b12c3f9

SHA512
87a29ea404583acf4eef5b4fe2feab8f16483af0cbe8cdfbc3e96ee41836f48e2e9456d54db734c150e6003d42596f8760e3500ec7ffefb50015b44c854a528f

Download Submit
C:\Users\Admin\AppData\Roaming\5772426.exe
MD5
ed4dfa563a88597f38e062bc4dc2a036

SHA1
ae99199406f0893f0d26ab6c8f03e1fab348afc0

SHA256
3ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1

SHA512
8d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3

Download Submit
C:\Users\Admin\AppData\Roaming\5772426.exe
MD5
ed4dfa563a88597f38e062bc4dc2a036

SHA1
ae99199406f0893f0d26ab6c8f03e1fab348afc0

SHA256
3ea02603bd6c910bb91df1b652cb7ff39db1553a4aefb1d016b7c39c31e2c0b1

SHA512
8d595cf21f5128713747da963bed1cbf99a2f28c635fe050f4a3ab9c30d34f6615269b01e9acd63efff4c3ea99c7158c6c53c18c1fd07e2c6307aa4b39073ba3

Download Submit
C:\Users\Admin\AppData\Roaming\5870837.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\5870837.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\7998366.exe
MD5
0ed73d92959581b98c0f9175f60b3aad

SHA1
df04d64dad2b964098363f8ccb8768f4ac2976c0

SHA256
859f9669f87290f96d60fd6fa99fbc0c0a4071a121d1591d2e29949a4c7deb87

SHA512
aa5d1a3574eb4e5fd7307449657c993324717d9b364d6dcd43a721c6f73721c11dc3f587c962fd883256d0cf06125ba2bf5fb079f08b6963cf8fe254a34c02b5

Download Submit
C:\Users\Admin\AppData\Roaming\7998366.exe
MD5
0ed73d92959581b98c0f9175f60b3aad

SHA1
df04d64dad2b964098363f8ccb8768f4ac2976c0

SHA256
859f9669f87290f96d60fd6fa99fbc0c0a4071a121d1591d2e29949a4c7deb87

SHA512
aa5d1a3574eb4e5fd7307449657c993324717d9b364d6dcd43a721c6f73721c11dc3f587c962fd883256d0cf06125ba2bf5fb079f08b6963cf8fe254a34c02b5

Download Submit
C:\Users\Admin\AppData\Roaming\8439207.exe
MD5
f28365f2937760c6fd966c23449a707f

SHA1
4bfa3d246249e5fc0acce338a35389bae8a58956

SHA256
b42b391f5d87b6726ac2ba8b1f01416daa04908a993ba731129b0d5c9b2ca32f

SHA512
f7cb7d8d5922a1c3aecfbbf20a6f7e7e000d00e240c6bede92500b672a1d66ca33c4fa52325d7ae7a79dfe09034d8199dda0ad1561d41871ed5afabca6d6bbee

Download Submit
C:\Users\Admin\AppData\Roaming\8439207.exe
MD5
f28365f2937760c6fd966c23449a707f

SHA1
4bfa3d246249e5fc0acce338a35389bae8a58956

SHA256
b42b391f5d87b6726ac2ba8b1f01416daa04908a993ba731129b0d5c9b2ca32f

SHA512
f7cb7d8d5922a1c3aecfbbf20a6f7e7e000d00e240c6bede92500b672a1d66ca33c4fa52325d7ae7a79dfe09034d8199dda0ad1561d41871ed5afabca6d6bbee

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
a20e32791806c7b29070b95226b0e480

SHA1
8f2bac75ffabbe45770076047ded99f243622e5f

SHA256
df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

SHA512
6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

Download Submit
memory/600-175-0x00000000023E0000-0x0000000002428000-memory.dmp

Filesize
288KB

Download
memory/600-161-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/600-183-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/600-177-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/600-158-0x0000000000000000-mapping.dmp

Download
memory/600-165-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/684-163-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/684-153-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/684-151-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/684-148-0x0000000000000000-mapping.dmp

Download
memory/684-155-0x000000000A7D0000-0x000000000A7D1000-memory.dmp

Filesize
4KB

Download
memory/2120-125-0x0000000005070000-0x00000000050B9000-memory.dmp

Filesize
292KB

Download
memory/2120-139-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2120-145-0x000000000DDA0000-0x000000000DDA1000-memory.dmp

Filesize
4KB

Download
memory/2120-176-0x000000000E010000-0x000000000E011000-memory.dmp

Filesize
4KB

Download
memory/2120-124-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/2120-122-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2120-119-0x0000000000000000-mapping.dmp

Download
memory/2120-154-0x000000000E4A0000-0x000000000E4A1000-memory.dmp

Filesize
4KB

Download
memory/2120-127-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/2120-187-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/2164-133-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/2164-171-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/2164-130-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2164-132-0x0000000003000000-0x0000000003024000-memory.dmp

Filesize
144KB

Download
memory/2164-156-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/2164-142-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/2164-166-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/2164-141-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/2164-126-0x0000000000000000-mapping.dmp

Download
memory/2272-115-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2272-117-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2272-118-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3940-140-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3940-137-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3940-134-0x0000000000000000-mapping.dmp

Download
memory/3940-143-0x0000000005650000-0x0000000005683000-memory.dmp

Filesize
204KB

Download
memory/3940-192-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3940-194-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/3940-201-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/4044-178-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/4044-182-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4044-184-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/4044-164-0x0000000000000000-mapping.dmp

Download