redline | d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe

General

Target

Sun03e4aeb7e43a1c.exe
Size

309KB
MD5

a8261f626a6e743ee0ce9abe3da429a1
SHA1

c12339c5bf0f1867c3ffbfb6bfe24feb12748078
SHA256

d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe
SHA512

64542e73edfa809f916784ce13b90284877380becd52d9401b1c17fe3cc9991498597e5f869701df905119780e46654c83c09993bf3e277cb110637225cb112a

Score

10^/10

redline somebody discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

SomeBody

C2

185.215.113.29:36224

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-71-0x0000000000740000-0x000000000075C000-memory.dmp	family_redline
behavioral1/memory/1796-72-0x0000000001F70000-0x0000000001F8B000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

3609446544.exe9336993423.exe

pid process

820 3609446544.exe
1796 9336993423.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.exe

pid process

1096 cmd.exe
1816 cmd.exe
1816 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 freegeoip.app
20 freegeoip.app
15 freegeoip.app
17 freegeoip.app

pid	process
820	3609446544.exe
1796	9336993423.exe

pid	process
1472	cmd.exe

pid	process
1096	cmd.exe
1816	cmd.exe
1816	cmd.exe

flow	ioc
18	freegeoip.app
20	freegeoip.app
15	freegeoip.app
17	freegeoip.app

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3609446544.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\3609446544.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\3609446544.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1116 taskkill.exe

pid	process
1116	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Sun03e4aeb7e43a1c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun03e4aeb7e43a1c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun03e4aeb7e43a1c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun03e4aeb7e43a1c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9336993423.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1796 9336993423.exe
Token: SeDebugPrivilege 1116 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1796	9336993423.exe
Token: SeDebugPrivilege	1116	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Sun03e4aeb7e43a1c.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1096	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1096	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1096	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1096	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1096 wrote to memory of 820	1096	cmd.exe	3609446544.exe
PID 1096 wrote to memory of 820	1096	cmd.exe	3609446544.exe
PID 1096 wrote to memory of 820	1096	cmd.exe	3609446544.exe
PID 1096 wrote to memory of 820	1096	cmd.exe	3609446544.exe
PID 1692 wrote to memory of 1816	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1816	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1816	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1816	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1816 wrote to memory of 1796	1816	cmd.exe	9336993423.exe
PID 1816 wrote to memory of 1796	1816	cmd.exe	9336993423.exe
PID 1816 wrote to memory of 1796	1816	cmd.exe	9336993423.exe
PID 1816 wrote to memory of 1796	1816	cmd.exe	9336993423.exe
PID 1692 wrote to memory of 1472	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1472	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1472	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1692 wrote to memory of 1472	1692	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1472 wrote to memory of 1116	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 1116	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 1116	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 1116	1472	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe
"C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\3609446544.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\3609446544.exe
"C:\Users\Admin\AppData\Local\Temp\3609446544.exe"
3⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9336993423.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\9336993423.exe
"C:\Users\Admin\AppData\Local\Temp\9336993423.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun03e4aeb7e43a1c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sun03e4aeb7e43a1c.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3609446544.exe
MD5
0316a4971affb23ccf2cfa83d0de9392

SHA1
74f2661e497b2079981447666a4fc71ede4e1774

SHA256
455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

SHA512
673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\3609446544.exe
MD5
0316a4971affb23ccf2cfa83d0de9392

SHA1
74f2661e497b2079981447666a4fc71ede4e1774

SHA256
455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

SHA512
673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\9336993423.exe
MD5
c8a54178bca548e62bc755b59eaac4d2

SHA1
fd6820252e4717ee0607da991904b7a2b96d5a8c

SHA256
1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

SHA512
acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9336993423.exe
MD5
c8a54178bca548e62bc755b59eaac4d2

SHA1
fd6820252e4717ee0607da991904b7a2b96d5a8c

SHA256
1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

SHA512
acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

Download Submit
\Users\Admin\AppData\Local\Temp\3609446544.exe
MD5
0316a4971affb23ccf2cfa83d0de9392

SHA1
74f2661e497b2079981447666a4fc71ede4e1774

SHA256
455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

SHA512
673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

Download Submit
\Users\Admin\AppData\Local\Temp\9336993423.exe
MD5
c8a54178bca548e62bc755b59eaac4d2

SHA1
fd6820252e4717ee0607da991904b7a2b96d5a8c

SHA256
1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

SHA512
acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

Download Submit
\Users\Admin\AppData\Local\Temp\9336993423.exe
MD5
c8a54178bca548e62bc755b59eaac4d2

SHA1
fd6820252e4717ee0607da991904b7a2b96d5a8c

SHA256
1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

SHA512
acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

Download Submit
memory/820-62-0x0000000000000000-mapping.dmp

Download
memory/1096-59-0x0000000000000000-mapping.dmp

Download
memory/1116-81-0x0000000000000000-mapping.dmp

Download
memory/1472-80-0x0000000000000000-mapping.dmp

Download
memory/1692-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1692-56-0x00000000002C0000-0x00000000002E9000-memory.dmp

Filesize
164KB

Download
memory/1692-57-0x00000000002F0000-0x000000000033A000-memory.dmp

Filesize
296KB

Download
memory/1692-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1796-75-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1796-72-0x0000000001F70000-0x0000000001F8B000-memory.dmp

Filesize
108KB

Download
memory/1796-73-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/1796-74-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/1796-71-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1796-76-0x0000000004951000-0x0000000004952000-memory.dmp

Filesize
4KB

Download
memory/1796-77-0x0000000004952000-0x0000000004953000-memory.dmp

Filesize
4KB

Download
memory/1796-78-0x0000000004953000-0x0000000004954000-memory.dmp

Filesize
4KB

Download
memory/1796-79-0x0000000004954000-0x0000000004956000-memory.dmp

Filesize
8KB

Download
memory/1796-69-0x0000000000000000-mapping.dmp

Download
memory/1816-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads