redline | 4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e

Analysis

max time kernel
120s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
11-11-2021 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b73c34e7b239cf0d14810c17fecefbe7.exe
Size

1.4MB
MD5

b73c34e7b239cf0d14810c17fecefbe7
SHA1

9cbc5fb855aa90249a721f8277b88ea84bea00b6
SHA256

4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e
SHA512

35ce91ef2bb88fb3b642768501066cfa82848ef7066008181e070b29349b4a6e917ae6e67685b4bfc24abbfee47a698986cd4d23eebd67c54e6beeabd910cbd1

Score

10^/10

redline 1011bankk evasion infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

1011bankk

charirelay.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/828-168-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/828-173-0x0000000000418EF6-mapping.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 352 created 3116 352 WerFault.exe b73c34e7b239cf0d14810c17fecefbe7.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 352 created 3116	352	WerFault.exe	b73c34e7b239cf0d14810c17fecefbe7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b73c34e7b239cf0d14810c17fecefbe7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b73c34e7b239cf0d14810c17fecefbe7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b73c34e7b239cf0d14810c17fecefbe7.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b73c34e7b239cf0d14810c17fecefbe7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b73c34e7b239cf0d14810c17fecefbe7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b73c34e7b239cf0d14810c17fecefbe7.exe

description pid process target process

PID 3116 set thread context of 828 3116 b73c34e7b239cf0d14810c17fecefbe7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

352 3116 WerFault.exe b73c34e7b239cf0d14810c17fecefbe7.exe

description	pid	process	target process
PID 3116 set thread context of 828	3116	b73c34e7b239cf0d14810c17fecefbe7.exe	AppLaunch.exe

pid	pid_target	process	target process
352	3116	WerFault.exe	b73c34e7b239cf0d14810c17fecefbe7.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe
352	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeAppLaunch.exe

description	pid	process
Token: SeRestorePrivilege	352	WerFault.exe
Token: SeBackupPrivilege	352	WerFault.exe
Token: SeDebugPrivilege	352	WerFault.exe
Token: SeDebugPrivilege	828	AppLaunch.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b73c34e7b239cf0d14810c17fecefbe7.exe

description	pid	process	target process
PID 3116 wrote to memory of 828	3116	b73c34e7b239cf0d14810c17fecefbe7.exe	AppLaunch.exe
PID 3116 wrote to memory of 828	3116	b73c34e7b239cf0d14810c17fecefbe7.exe	AppLaunch.exe
PID 3116 wrote to memory of 828	3116	b73c34e7b239cf0d14810c17fecefbe7.exe	AppLaunch.exe
PID 3116 wrote to memory of 828	3116	b73c34e7b239cf0d14810c17fecefbe7.exe	AppLaunch.exe
PID 3116 wrote to memory of 828	3116	b73c34e7b239cf0d14810c17fecefbe7.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\b73c34e7b239cf0d14810c17fecefbe7.exe
"C:\Users\Admin\AppData\Local\Temp\b73c34e7b239cf0d14810c17fecefbe7.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 552
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/828-205-0x000000000BB40000-0x000000000BB41000-memory.dmp

Filesize
4KB

Download
memory/828-204-0x000000000B440000-0x000000000B441000-memory.dmp

Filesize
4KB

Download
memory/828-195-0x000000000AB60000-0x000000000AB61000-memory.dmp

Filesize
4KB

Download
memory/828-192-0x000000000A970000-0x000000000A971000-memory.dmp

Filesize
4KB

Download
memory/828-191-0x000000000AC70000-0x000000000AC71000-memory.dmp

Filesize
4KB

Download
memory/828-190-0x000000000A6D0000-0x000000000A6D1000-memory.dmp

Filesize
4KB

Download
memory/828-189-0x000000000A5B0000-0x000000000A5B1000-memory.dmp

Filesize
4KB

Download
memory/828-185-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/828-184-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/828-183-0x0000000009540000-0x0000000009541000-memory.dmp

Filesize
4KB

Download
memory/828-182-0x00000000094E0000-0x0000000009AE6000-memory.dmp

Filesize
6.0MB

Download
memory/828-181-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/828-180-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/828-179-0x0000000009AF0000-0x0000000009AF1000-memory.dmp

Filesize
4KB

Download
memory/828-177-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/828-176-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/828-175-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/828-174-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/828-173-0x0000000000418EF6-mapping.dmp

Download
memory/3116-132-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/3116-162-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3116-136-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/3116-138-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-139-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-141-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3116-140-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3116-142-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3116-143-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3116-145-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3116-144-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3116-147-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-146-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/3116-148-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-150-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-149-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-151-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-153-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/3116-152-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3116-154-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/3116-155-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3116-156-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3116-157-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3116-159-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3116-158-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3116-161-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3116-160-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3116-137-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3116-163-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/3116-165-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3116-164-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3116-166-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/3116-167-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/3116-135-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3116-134-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/3116-115-0x00000000025D0000-0x0000000002630000-memory.dmp

Filesize
384KB

Download
memory/3116-133-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/3116-131-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-130-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-129-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-128-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/3116-127-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/3116-126-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3116-125-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/3116-122-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3116-124-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3116-123-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/3116-121-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3116-120-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3116-119-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3116-118-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/3116-117-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download
memory/3116-116-0x0000000000400000-0x00000000007B0000-memory.dmp

Filesize
3.7MB

Download