redline | fc353994c7c21ec405bd5ea01c1082f56b7e2404d163f9a5a69d593070507911

General

Target

GenshinPublic.exe
Size

391KB
MD5

2e2142cc8d63b932ca33fc58662b6693
SHA1

d67631fb8c4d25f0a8e4b6ac48fba728f03023ad
SHA256

fc353994c7c21ec405bd5ea01c1082f56b7e2404d163f9a5a69d593070507911
SHA512

240bb50a29466c74381bbe7bd4f77b0f7f0cbe03bbdffecfb85225b162aef5a19291ac8659f8d960d9dfd832562469da7e55953d8d0a41e60c3dfb41289db0ab

Score

10^/10

redline xxluchxx1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

C2

185.215.113.109:44059

Extracted

Family

redline

Botnet

xxluchxx1

C2

212.86.102.63:62907

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2708-119-0x0000000000890000-0x00000000008AA000-memory.dmp	family_redline
behavioral2/memory/856-134-0x00000000013E0000-0x00000000013F8000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

asfasf.exeMemo.exeLogeer.exe

pid process

856 asfasf.exe
3948 Memo.exe
724 Logeer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

708 3948 WerFault.exe Memo.exe
60 724 WerFault.exe Logeer.exe

pid	process
856	asfasf.exe
3948	Memo.exe
724	Logeer.exe

pid	pid_target	process	target process
708	3948	WerFault.exe	Memo.exe
60	724	WerFault.exe	Logeer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GenshinPublic.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GenshinPublic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GenshinPublic.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

GenshinPublic.exeWerFault.exeWerFault.exeasfasf.exe

pid	process
2708	GenshinPublic.exe
2708	GenshinPublic.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
708	WerFault.exe
60	WerFault.exe
856	asfasf.exe
856	asfasf.exe
2708	GenshinPublic.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

GenshinPublic.exeasfasf.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2708	GenshinPublic.exe
Token: SeDebugPrivilege	856	asfasf.exe
Token: SeDebugPrivilege	60	WerFault.exe
Token: SeDebugPrivilege	708	WerFault.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

GenshinPublic.exe

description	pid	process	target process
PID 2708 wrote to memory of 856	2708	GenshinPublic.exe	asfasf.exe
PID 2708 wrote to memory of 856	2708	GenshinPublic.exe	asfasf.exe
PID 2708 wrote to memory of 3948	2708	GenshinPublic.exe	Memo.exe
PID 2708 wrote to memory of 3948	2708	GenshinPublic.exe	Memo.exe
PID 2708 wrote to memory of 724	2708	GenshinPublic.exe	Logeer.exe
PID 2708 wrote to memory of 724	2708	GenshinPublic.exe	Logeer.exe

C:\Users\Admin\AppData\Local\Temp\GenshinPublic.exe
"C:\Users\Admin\AppData\Local\Temp\GenshinPublic.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Roaming\asfasf.exe
"C:\Users\Admin\AppData\Roaming\asfasf.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Roaming\Memo.exe
"C:\Users\Admin\AppData\Roaming\Memo.exe"
2⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3948 -s 948
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Users\Admin\AppData\Roaming\Logeer.exe
"C:\Users\Admin\AppData\Roaming\Logeer.exe"
2⤵
- Executes dropped EXE
PID:724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 724 -s 948
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Logeer.exe
MD5
4108f630579979cfb8ca2bc73dcbdc07

SHA1
5d3e9ee3e462dbcf826aa3996c46378effc736a5

SHA256
2776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6

SHA512
29aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Logeer.exe
MD5
4108f630579979cfb8ca2bc73dcbdc07

SHA1
5d3e9ee3e462dbcf826aa3996c46378effc736a5

SHA256
2776a758c38bf9f909a46c0e58dc62a2b5f620e487a06f43aca79ca61d110fe6

SHA512
29aba2fb144957696d55a4c5b753057ed8a829299da23fc8d48820248cefac43068c2ddd36543c8d208460efb0caae6e2beff087ada937849f1ab51e9520d6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Memo.exe
MD5
d663f5a1f4c8bf1bacb90324e7a38b64

SHA1
da0de378bcb909cf82a6a2b5766aff961c9b6bf5

SHA256
1791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d

SHA512
49189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563

Download Submit
C:\Users\Admin\AppData\Roaming\Memo.exe
MD5
d663f5a1f4c8bf1bacb90324e7a38b64

SHA1
da0de378bcb909cf82a6a2b5766aff961c9b6bf5

SHA256
1791d0763a544911852e4ecde3ea6a0e3cb72aaec45bfae7cea2b1780f285c9d

SHA512
49189e9a346f785071bf51c391264dd303c74411c4bf258d9f34d64d197db00f28b2fd1f0c451e9c5b1aa44199bfb876c6b3470dd9e435387b55d630330d9563

Download Submit
C:\Users\Admin\AppData\Roaming\asfasf.exe
MD5
9a9120e7087d20b64a15693c53c4a9a4

SHA1
190ace4b886f2d5de5526234b40e7186952d771d

SHA256
b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2

SHA512
2a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe

Download Submit
C:\Users\Admin\AppData\Roaming\asfasf.exe
MD5
9a9120e7087d20b64a15693c53c4a9a4

SHA1
190ace4b886f2d5de5526234b40e7186952d771d

SHA256
b30a0a7e75cca6ec22a4628567fb057dfc22bfd04381bc97b1a1da6f05769ea2

SHA512
2a62e17df72e9ef31a68231ba8b949e02ca4b518c5f5836878203f8c46ce689bfa7de700b6eba38a309b2c30cf862621907e9ab2cf1e7b2d31039a64465db5fe

Download Submit
memory/724-147-0x0000026F7CAC0000-0x0000026F7CAC2000-memory.dmp

Filesize
8KB

Download
memory/724-145-0x0000026F7CAD0000-0x0000026F7CDFC000-memory.dmp

Filesize
3.2MB

Download
memory/724-137-0x0000026F61FF0000-0x0000026F61FF1000-memory.dmp

Filesize
4KB

Download
memory/724-131-0x0000000000000000-mapping.dmp

Download
memory/856-134-0x00000000013E0000-0x00000000013F8000-memory.dmp

Filesize
96KB

Download
memory/856-132-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/856-151-0x00000000013D2000-0x00000000013D4000-memory.dmp

Filesize
8KB

Download
memory/856-124-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/856-150-0x000000001CC20000-0x000000001CC21000-memory.dmp

Filesize
4KB

Download
memory/856-121-0x0000000000000000-mapping.dmp

Download
memory/856-149-0x000000001C520000-0x000000001C521000-memory.dmp

Filesize
4KB

Download
memory/2708-140-0x000000001C2D0000-0x000000001C2D1000-memory.dmp

Filesize
4KB

Download
memory/2708-119-0x0000000000890000-0x00000000008AA000-memory.dmp

Filesize
104KB

Download
memory/2708-141-0x000000001B3F0000-0x000000001B3F1000-memory.dmp

Filesize
4KB

Download
memory/2708-143-0x000000001B450000-0x000000001B451000-memory.dmp

Filesize
4KB

Download
memory/2708-118-0x000000001AF40000-0x000000001AF41000-memory.dmp

Filesize
4KB

Download
memory/2708-117-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/2708-120-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2708-115-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2708-152-0x000000001C210000-0x000000001C211000-memory.dmp

Filesize
4KB

Download
memory/3948-126-0x0000000000000000-mapping.dmp

Download
memory/3948-146-0x0000028F9B920000-0x0000028F9BC03000-memory.dmp

Filesize
2.9MB

Download
memory/3948-148-0x0000028F9B8E0000-0x0000028F9B8E2000-memory.dmp

Filesize
8KB

Download
memory/3948-129-0x0000028F80FE0000-0x0000028F80FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads