redline | 9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-01-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
Size

1.1MB
MD5

3db8aaeede991e343f4a58c029d5bcb6
SHA1

dce0cf75d9080b4c31425adbc899d21f0ebb5c0f
SHA256

9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71
SHA512

ae2e99816106a935498f977bf31dd995d315dcdb0237904bce86ccc525732d4b5353376818af87337396370e0cc23ebd321b4ecf1cb30c04969ea0a20ff8df31

Score

10^/10

redline 1 infostealer

Malware Config

Extracted

Family

redline

Botnet

vigasiergu.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-68-0x00000000000F0000-0x0000000000112000-memory.dmp	family_redline
behavioral1/memory/2008-74-0x00000000000F0000-0x0000000000112000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Hai.exe.comHai.exe.comRegAsm.exe

pid process

764 Hai.exe.com
1348 Hai.exe.com
2008 RegAsm.exe
Deletes itself 1 IoCs

Processes:

Hai.exe.com

pid process

1348 Hai.exe.com
Loads dropped DLL 4 IoCs

Processes:

9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.execmd.exeHai.exe.comRegAsm.exe

pid process

1668 9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
832 cmd.exe
1348 Hai.exe.com
2008 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Hai.exe.com

description pid process target process

PID 1348 set thread context of 2008 1348 Hai.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1536 PING.EXE

pid	process
764	Hai.exe.com
1348	Hai.exe.com
2008	RegAsm.exe

pid	process
1668	9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
832	cmd.exe
1348	Hai.exe.com
2008	RegAsm.exe

description	pid	process	target process
PID 1348 set thread context of 2008	1348	Hai.exe.com	RegAsm.exe

pid	process
1536	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Hai.exe.comRegAsm.exe

pid	process
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
1348	Hai.exe.com
2008	RegAsm.exe
2008	RegAsm.exe
2008	RegAsm.exe
2008	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.execmd.execmd.exeHai.exe.comHai.exe.com

description	pid	process	target process
PID 1668 wrote to memory of 1516	1668	9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe	cmd.exe
PID 1668 wrote to memory of 1516	1668	9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe	cmd.exe
PID 1668 wrote to memory of 1516	1668	9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe	cmd.exe
PID 1668 wrote to memory of 1516	1668	9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe	cmd.exe
PID 1516 wrote to memory of 832	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 832	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 832	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 832	1516	cmd.exe	cmd.exe
PID 832 wrote to memory of 524	832	cmd.exe	findstr.exe
PID 832 wrote to memory of 524	832	cmd.exe	findstr.exe
PID 832 wrote to memory of 524	832	cmd.exe	findstr.exe
PID 832 wrote to memory of 524	832	cmd.exe	findstr.exe
PID 832 wrote to memory of 764	832	cmd.exe	Hai.exe.com
PID 832 wrote to memory of 764	832	cmd.exe	Hai.exe.com
PID 832 wrote to memory of 764	832	cmd.exe	Hai.exe.com
PID 832 wrote to memory of 764	832	cmd.exe	Hai.exe.com
PID 832 wrote to memory of 1536	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1536	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1536	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 1536	832	cmd.exe	PING.EXE
PID 764 wrote to memory of 1348	764	Hai.exe.com	Hai.exe.com
PID 764 wrote to memory of 1348	764	Hai.exe.com	Hai.exe.com
PID 764 wrote to memory of 1348	764	Hai.exe.com	Hai.exe.com
PID 764 wrote to memory of 1348	764	Hai.exe.com	Hai.exe.com
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe
PID 1348 wrote to memory of 2008	1348	Hai.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe
"C:\Users\Admin\AppData\Local\Temp\9BF4C9B6C5E930CE91B84920A73D9111793E6D3147745.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd" /c cmd < Ingranditi.vss
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fuetIiQsuPqjAJVttASkWlwvPOGVNzHQwJbzXtckNBEqDdxupaWHHZAytGgTAVENilkQkBuZyGnxFwTnxALxvqowpagsQBLSXQSayDVHjXBwBu$" Sul.vss
4⤵
PID:524

C:\Users\Admin\AppData\Roaming\Hai.exe.com
Hai.exe.com I
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Roaming\Hai.exe.com
C:\Users\Admin\AppData\Roaming\Hai.exe.com I
5⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Roaming\RegAsm.exe
C:\Users\Admin\AppData\Roaming\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Cancellato.vss
MD5
9ade5ce9d5905c826669ce593925778b

SHA1
b426f52bfe2297f709488e1efe74173188e9059c

SHA256
a362496c9b6d20798529ed23964028e39ebc245eb1cd9db407e0162c73f4d0d6

SHA512
3130f0ac30e8448c46f1385a91821a9d819490b8fad3a0885cdee36fda73c3322a43ff6888cb70d987164a55d4e7d848a6d529eacb3e88a7aea6c27b8e102174

Download Submit
C:\Users\Admin\AppData\Roaming\Hai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Hai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\I
MD5
4f0ea88efaffe77c5b2f0def0525437e

SHA1
fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184

SHA256
35f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02

SHA512
2ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f

Download Submit
C:\Users\Admin\AppData\Roaming\Ingranditi.vss
MD5
43cb85e9dd4c6a25b26a284c4d4b76ac

SHA1
567f4c9fb4877a772bd1504fabd63e93bd30563f

SHA256
e33387125c435bc00687074755c6f20c461c9d935c948554a46ae4e63cd8474f

SHA512
54f600aefef8b937ce046edc353f971c3a02e869d7fbfe1a768360b1a3fbd85c22ad6625056acfaf44958b4e5aa6fb6bf77cfa54f68e4fd1ad916c0d283ae98f

Download Submit
C:\Users\Admin\AppData\Roaming\Mille.vss
MD5
4f0ea88efaffe77c5b2f0def0525437e

SHA1
fff4fafe4d044c50e4d7cbb6f3caf3b0a2857184

SHA256
35f4ea06fb50b35dcdbb01eed3b1326a2ab648eeec81644a12e42921fc4e0b02

SHA512
2ecbb604e5c366bef2de50473a8a1ad165f1bda03bc4bb6c057432514e36b68797e6a88967827f885e22e9b3ae9c8b510923b87390baf452bdd8ee539cb6af1f

Download Submit
C:\Users\Admin\AppData\Roaming\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Sul.vss
MD5
47985749b176175b0233934dbf034f5d

SHA1
936938f9d1e68b932ae9d61ffec19bcb0a57efea

SHA256
68a864ef9f9283178192b42c19c07877454785e5db339edf77c0ca7efe337c49

SHA512
a6a97be7a82b20d1b9921e3639d870c4871cd224a4bd406d0e0beb93a6753cc34ece23c703601a8635859d5251d2d7a2e2a6f4799c7cb6c5e99652a42790523a

Download Submit
\Users\Admin\AppData\Local\Temp\nsnD450.tmp\nsExec.dll
MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Roaming\Hai.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Roaming\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1348-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1668-53-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/2008-66-0x00000000000F0000-0x0000000000112000-memory.dmp

Filesize
136KB

Download
memory/2008-68-0x00000000000F0000-0x0000000000112000-memory.dmp

Filesize
136KB

Download
memory/2008-74-0x00000000000F0000-0x0000000000112000-memory.dmp

Filesize
136KB

Download
memory/2008-75-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download