redline | aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc

General

Target

036f4601b88c52668d279cf3fcce2a97.exe
Size

68KB
MD5

036f4601b88c52668d279cf3fcce2a97
SHA1

9d67601c7e37e1d7e7c36820ad360169c16628df
SHA256

aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc
SHA512

08b40274ad8d24a7f7775da9d7755d13aa0a110250008ceb02bae54fa8074d40d6ccfbfe28e2cf2c25d5904d931135a6bfe467ca6b5439422b1d2225c5756d70

Score

10^/10

redline khrip discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

khrip

C2

91.211.251.200:52562

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/940-75-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/940-74-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/940-77-0x0000000000418D2E-mapping.dmp	family_redline
behavioral1/memory/940-76-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/940-78-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

description pid process target process

PID 1616 set thread context of 940 1616 036f4601b88c52668d279cf3fcce2a97.exe 036f4601b88c52668d279cf3fcce2a97.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1616 set thread context of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	036f4601b88c52668d279cf3fcce2a97.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	036f4601b88c52668d279cf3fcce2a97.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	036f4601b88c52668d279cf3fcce2a97.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exepowershell.exepowershell.exepowershell.exe036f4601b88c52668d279cf3fcce2a97.exe

pid	process
1616	036f4601b88c52668d279cf3fcce2a97.exe
1540	powershell.exe
1100	powershell.exe
1384	powershell.exe
1616	036f4601b88c52668d279cf3fcce2a97.exe
1616	036f4601b88c52668d279cf3fcce2a97.exe
940	036f4601b88c52668d279cf3fcce2a97.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1616	036f4601b88c52668d279cf3fcce2a97.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	1540	powershell.exe
Token: SeSecurityPrivilege	1540	powershell.exe
Token: SeTakeOwnershipPrivilege	1540	powershell.exe
Token: SeLoadDriverPrivilege	1540	powershell.exe
Token: SeSystemProfilePrivilege	1540	powershell.exe
Token: SeSystemtimePrivilege	1540	powershell.exe
Token: SeProfSingleProcessPrivilege	1540	powershell.exe
Token: SeIncBasePriorityPrivilege	1540	powershell.exe
Token: SeCreatePagefilePrivilege	1540	powershell.exe
Token: SeBackupPrivilege	1540	powershell.exe
Token: SeRestorePrivilege	1540	powershell.exe
Token: SeShutdownPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeSystemEnvironmentPrivilege	1540	powershell.exe
Token: SeRemoteShutdownPrivilege	1540	powershell.exe
Token: SeUndockPrivilege	1540	powershell.exe
Token: SeManageVolumePrivilege	1540	powershell.exe
Token: 33	1540	powershell.exe
Token: 34	1540	powershell.exe
Token: 35	1540	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1100	powershell.exe
Token: SeSecurityPrivilege	1100	powershell.exe
Token: SeTakeOwnershipPrivilege	1100	powershell.exe
Token: SeLoadDriverPrivilege	1100	powershell.exe
Token: SeSystemProfilePrivilege	1100	powershell.exe
Token: SeSystemtimePrivilege	1100	powershell.exe
Token: SeProfSingleProcessPrivilege	1100	powershell.exe
Token: SeIncBasePriorityPrivilege	1100	powershell.exe
Token: SeCreatePagefilePrivilege	1100	powershell.exe
Token: SeBackupPrivilege	1100	powershell.exe
Token: SeRestorePrivilege	1100	powershell.exe
Token: SeShutdownPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeSystemEnvironmentPrivilege	1100	powershell.exe
Token: SeRemoteShutdownPrivilege	1100	powershell.exe
Token: SeUndockPrivilege	1100	powershell.exe
Token: SeManageVolumePrivilege	1100	powershell.exe
Token: 33	1100	powershell.exe
Token: 34	1100	powershell.exe
Token: 35	1100	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeIncreaseQuotaPrivilege	1384	powershell.exe
Token: SeSecurityPrivilege	1384	powershell.exe
Token: SeTakeOwnershipPrivilege	1384	powershell.exe
Token: SeLoadDriverPrivilege	1384	powershell.exe
Token: SeSystemProfilePrivilege	1384	powershell.exe
Token: SeSystemtimePrivilege	1384	powershell.exe
Token: SeProfSingleProcessPrivilege	1384	powershell.exe
Token: SeIncBasePriorityPrivilege	1384	powershell.exe
Token: SeCreatePagefilePrivilege	1384	powershell.exe
Token: SeBackupPrivilege	1384	powershell.exe
Token: SeRestorePrivilege	1384	powershell.exe
Token: SeShutdownPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeSystemEnvironmentPrivilege	1384	powershell.exe
Token: SeRemoteShutdownPrivilege	1384	powershell.exe
Token: SeUndockPrivilege	1384	powershell.exe
Token: SeManageVolumePrivilege	1384	powershell.exe
Token: 33	1384	powershell.exe
Token: 34	1384	powershell.exe
Token: 35	1384	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

description	pid	process	target process
PID 1616 wrote to memory of 1540	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1540	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1540	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1540	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1100	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1100	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1100	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1100	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1384	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1384	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1384	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 1384	1616	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 1616 wrote to memory of 940	1616	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
"C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
12b60af4fdf084a3db7213aeeba12ab7

SHA1
78f073b901c16b8f7b3a35fb458af052345bf5cc

SHA256
a157c76edb05e25be2c9c6954d1a13fe32394977844510cfb3fcade366c17faf

SHA512
33c5a66b4b8e8dc8bf8872d06f5eee32da158d9efd598a02560cdbc91c5e726440b4848b4b47ec4ee7f404195238fca0fa2c30546becc0fdf91d9d40e36f9214

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
12b60af4fdf084a3db7213aeeba12ab7

SHA1
78f073b901c16b8f7b3a35fb458af052345bf5cc

SHA256
a157c76edb05e25be2c9c6954d1a13fe32394977844510cfb3fcade366c17faf

SHA512
33c5a66b4b8e8dc8bf8872d06f5eee32da158d9efd598a02560cdbc91c5e726440b4848b4b47ec4ee7f404195238fca0fa2c30546becc0fdf91d9d40e36f9214

Download Submit
memory/940-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/940-80-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/940-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/940-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/940-77-0x0000000000418D2E-mapping.dmp

Download
memory/940-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/940-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/940-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1100-61-0x0000000000000000-mapping.dmp

Download
memory/1384-69-0x0000000002512000-0x0000000002514000-memory.dmp

Filesize
8KB

Download
memory/1384-67-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1384-68-0x0000000002511000-0x0000000002512000-memory.dmp

Filesize
4KB

Download
memory/1384-64-0x0000000000000000-mapping.dmp

Download
memory/1540-60-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1540-57-0x0000000000000000-mapping.dmp

Download
memory/1616-70-0x0000000000F20000-0x0000000000F6C000-memory.dmp

Filesize
304KB

Download
memory/1616-71-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/1616-54-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1616-59-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1616-56-0x0000000074C71000-0x0000000074C73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads