redline | 6a8380cdaf3d012f2373f6919bbd2ee6c21ae43dd16d29c999528189057ccf1d

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-en-20210920
submitted
24-10-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac3e3692ed2f66f4e6227cc86df0283c.exe
Size

1.1MB
MD5

ac3e3692ed2f66f4e6227cc86df0283c
SHA1

b1b4a77aa6c0ccf203ab08f8a8359a736ee03b2a
SHA256

6a8380cdaf3d012f2373f6919bbd2ee6c21ae43dd16d29c999528189057ccf1d
SHA512

893ce7687f232024f80635a06ea7e711dace41dfb9bf687ba47ace7d9010a67a6e9e8ceb6ccb23bb6c5a5dda1451c380f88c8e6ad1ffedb9f7c39c20420e5397

Score

10^/10

redline 2 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

146.0.75.231:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/964-76-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline
behavioral1/memory/964-82-0x0000000000090000-0x00000000000AE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Smettere.exe.comSmettere.exe.comRegAsm.exe

pid process

976 Smettere.exe.com
432 Smettere.exe.com
964 RegAsm.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeSmettere.exe.comSmettere.exe.comRegAsm.exe

pid process

572 cmd.exe
976 Smettere.exe.com
432 Smettere.exe.com
964 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
976	Smettere.exe.com
432	Smettere.exe.com
964	RegAsm.exe

pid	process
572	cmd.exe
976	Smettere.exe.com
432	Smettere.exe.com
964	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac3e3692ed2f66f4e6227cc86df0283c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ac3e3692ed2f66f4e6227cc86df0283c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac3e3692ed2f66f4e6227cc86df0283c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Smettere.exe.com

description pid process target process

PID 432 set thread context of 964 432 Smettere.exe.com RegAsm.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

364 PING.EXE

description	pid	process	target process
PID 432 set thread context of 964	432	Smettere.exe.com	RegAsm.exe

pid	process
364	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Smettere.exe.comRegAsm.exe

pid	process
432	Smettere.exe.com
432	Smettere.exe.com
432	Smettere.exe.com
432	Smettere.exe.com
432	Smettere.exe.com
432	Smettere.exe.com
432	Smettere.exe.com
432	Smettere.exe.com
964	RegAsm.exe
964	RegAsm.exe
964	RegAsm.exe
964	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 964 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	964	RegAsm.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

ac3e3692ed2f66f4e6227cc86df0283c.execmd.execmd.exeSmettere.exe.comSmettere.exe.com

description	pid	process	target process
PID 1420 wrote to memory of 556	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	dllhost.exe
PID 1420 wrote to memory of 556	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	dllhost.exe
PID 1420 wrote to memory of 556	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	dllhost.exe
PID 1420 wrote to memory of 556	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	dllhost.exe
PID 1420 wrote to memory of 856	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	cmd.exe
PID 1420 wrote to memory of 856	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	cmd.exe
PID 1420 wrote to memory of 856	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	cmd.exe
PID 1420 wrote to memory of 856	1420	ac3e3692ed2f66f4e6227cc86df0283c.exe	cmd.exe
PID 856 wrote to memory of 572	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 572	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 572	856	cmd.exe	cmd.exe
PID 856 wrote to memory of 572	856	cmd.exe	cmd.exe
PID 572 wrote to memory of 616	572	cmd.exe	findstr.exe
PID 572 wrote to memory of 616	572	cmd.exe	findstr.exe
PID 572 wrote to memory of 616	572	cmd.exe	findstr.exe
PID 572 wrote to memory of 616	572	cmd.exe	findstr.exe
PID 572 wrote to memory of 976	572	cmd.exe	Smettere.exe.com
PID 572 wrote to memory of 976	572	cmd.exe	Smettere.exe.com
PID 572 wrote to memory of 976	572	cmd.exe	Smettere.exe.com
PID 572 wrote to memory of 976	572	cmd.exe	Smettere.exe.com
PID 572 wrote to memory of 364	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 364	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 364	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 364	572	cmd.exe	PING.EXE
PID 976 wrote to memory of 432	976	Smettere.exe.com	Smettere.exe.com
PID 976 wrote to memory of 432	976	Smettere.exe.com	Smettere.exe.com
PID 976 wrote to memory of 432	976	Smettere.exe.com	Smettere.exe.com
PID 976 wrote to memory of 432	976	Smettere.exe.com	Smettere.exe.com
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe
PID 432 wrote to memory of 964	432	Smettere.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\ac3e3692ed2f66f4e6227cc86df0283c.exe
"C:\Users\Admin\AppData\Local\Temp\ac3e3692ed2f66f4e6227cc86df0283c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Luce.ini
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^KyGbaHswOKLbRCwvDcWxdvZVsmfKotGADOUlVpOMxlueTfJIKFZYvlzgyLuTaGTKtkUrHQAzHpZyfWwePGqDtIraxGtlrUxOsvYIxGwTtFdjkhZoJttMFfFciBIwLdfM$" Copre.ini
4⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com
Smettere.exe.com N
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com N
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Basso.ini

MD5
80cdba403703c10e0a3d0a0ab76178b2

SHA1
4694d6564dcad667fed8df29ae9973952ed8e064

SHA256
dc599a8c3c2d1ef05a0affb6e79c88016f03ea98dd2fd3920f46a1ef3f340958

SHA512
9f0ab6a7a37ad7949584d648bc940dff85a31b57ff2288fb036d04bf8200070453b1dafc5635e5854a6d4b8dedc6d121c0031c1eeb887b104de2804d67d9c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Copre.ini

MD5
e8f4d6532d032c1c2bcd6a2767ba1625

SHA1
b563b652d347fb6d6562c3d6b2e1abc083dfe9f5

SHA256
fcdd55b13fc6081f6195cd442c61e139ff2b26c33423b1367349d13c3f77e000

SHA512
888e0dd898b5aa089066685b3ab640f80c8209d4e2030ac418875c50d2bf1cc45d33fb33dbb125a1752fd813af88d7d3f5ce6377e23b5782f549d04d795674de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Luce.ini

MD5
17601ebab364160365dfe5dab7a636c1

SHA1
d4b49ca26c2a5bebd22b5e0b283a6501be554ba2

SHA256
1cec945fd3f1e1e29292366fdd33616e572442a9eac9e3ccf81a21aa59e5fa59

SHA512
3fb438683f39bcdc86ae759aa74d3281fe871e3ec84fc9146f935326d1a3fb616b62b0e15af8364534010588fde4aa8eba3f717cdf7b3ac31cf8611845704a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N

MD5
80cdba403703c10e0a3d0a0ab76178b2

SHA1
4694d6564dcad667fed8df29ae9973952ed8e064

SHA256
dc599a8c3c2d1ef05a0affb6e79c88016f03ea98dd2fd3920f46a1ef3f340958

SHA512
9f0ab6a7a37ad7949584d648bc940dff85a31b57ff2288fb036d04bf8200070453b1dafc5635e5854a6d4b8dedc6d121c0031c1eeb887b104de2804d67d9c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perisce.ini

MD5
5a911a3f76c58daa6360d70023b896b0

SHA1
3f648ccbca1901dd0e60731ed3b340b66feafa0b

SHA256
9f119d6f40f8d9d99381c06712e6c03e292f2c9ed63f9a879268756aeb4713a2

SHA512
87e8ac990ee4732ab3a07032e58426abb95c32fdca9501729ec7517eb5362697d02a3534df16c50dd3d4ba80d52171662dab48bc0497d0c7897413e4a2fcb7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Smettere.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/364-64-0x0000000000000000-mapping.dmp

Download
memory/432-75-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/432-69-0x0000000000000000-mapping.dmp

Download
memory/556-54-0x0000000000000000-mapping.dmp

Download
memory/572-57-0x0000000000000000-mapping.dmp

Download
memory/616-58-0x0000000000000000-mapping.dmp

Download
memory/856-55-0x0000000000000000-mapping.dmp

Download
memory/964-76-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/964-74-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/964-82-0x0000000000090000-0x00000000000AE000-memory.dmp

Filesize
120KB

Download
memory/964-84-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/976-62-0x0000000000000000-mapping.dmp

Download
memory/976-65-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download