redline | 4ce378a5ea71af10bfcbcc5b39dadbeb86718437cc92566a77641222ab2bd44e

General

Target

8550ebb8f4f5b377df3a3492dbc08f63.exe
Size

653KB
MD5

8550ebb8f4f5b377df3a3492dbc08f63
SHA1

b28aa83aa21501a8d12bba80d964da54adcb4162
SHA256

4ce378a5ea71af10bfcbcc5b39dadbeb86718437cc92566a77641222ab2bd44e
SHA512

aef4bf8bffbd6ba451d8bb05a6b109dd93478b7e9481efc6c9483c650811aa8ee65b2a730fd54beccffba6d7834149bffc2fcf8e6d30122f62b80d4c2c2d4281

Score

10^/10

redline test1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

disandillanne.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2464-192-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3976 created 1028 3976 WerFault.exe abb25203-459a-4074-98c1-d73b6e21907b.exe
Executes dropped EXE 2 IoCs

Processes:

f1622089-76fe-41f0-87a7-7aee8c473850.exeabb25203-459a-4074-98c1-d73b6e21907b.exe

pid process

5116 f1622089-76fe-41f0-87a7-7aee8c473850.exe
1028 abb25203-459a-4074-98c1-d73b6e21907b.exe

description	pid	process	target process
PID 3976 created 1028	3976	WerFault.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe

pid	process
5116	f1622089-76fe-41f0-87a7-7aee8c473850.exe
1028	abb25203-459a-4074-98c1-d73b6e21907b.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8550ebb8f4f5b377df3a3492dbc08f63.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8550ebb8f4f5b377df3a3492dbc08f63.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

abb25203-459a-4074-98c1-d73b6e21907b.exe

description pid process target process

PID 1028 set thread context of 2464 1028 abb25203-459a-4074-98c1-d73b6e21907b.exe AppLaunch.exe

description	pid	process	target process
PID 1028 set thread context of 2464	1028	abb25203-459a-4074-98c1-d73b6e21907b.exe	AppLaunch.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3184 1028 WerFault.exe abb25203-459a-4074-98c1-d73b6e21907b.exe

pid	pid_target	process	target process
3184	1028	WerFault.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exef1622089-76fe-41f0-87a7-7aee8c473850.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	f1622089-76fe-41f0-87a7-7aee8c473850.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	f1622089-76fe-41f0-87a7-7aee8c473850.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f1622089-76fe-41f0-87a7-7aee8c473850.exeWerFault.exe

pid process

5116 f1622089-76fe-41f0-87a7-7aee8c473850.exe
3184 WerFault.exe
3184 WerFault.exe

pid	process
5116	f1622089-76fe-41f0-87a7-7aee8c473850.exe
3184	WerFault.exe
3184	WerFault.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

8550ebb8f4f5b377df3a3492dbc08f63.exeWerFault.exef1622089-76fe-41f0-87a7-7aee8c473850.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe
Token: SeRestorePrivilege	3184	WerFault.exe
Token: SeBackupPrivilege	3184	WerFault.exe
Token: SeDebugPrivilege	5116	f1622089-76fe-41f0-87a7-7aee8c473850.exe
Token: SeShutdownPrivilege	4964	svchost.exe
Token: SeCreatePagefilePrivilege	4964	svchost.exe
Token: SeShutdownPrivilege	4964	svchost.exe
Token: SeCreatePagefilePrivilege	4964	svchost.exe
Token: SeShutdownPrivilege	4964	svchost.exe
Token: SeCreatePagefilePrivilege	4964	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

8550ebb8f4f5b377df3a3492dbc08f63.exeabb25203-459a-4074-98c1-d73b6e21907b.exeWerFault.exe

description	pid	process	target process
PID 3232 wrote to memory of 5116	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe	f1622089-76fe-41f0-87a7-7aee8c473850.exe
PID 3232 wrote to memory of 5116	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe	f1622089-76fe-41f0-87a7-7aee8c473850.exe
PID 3232 wrote to memory of 5116	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe	f1622089-76fe-41f0-87a7-7aee8c473850.exe
PID 3232 wrote to memory of 1028	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe
PID 3232 wrote to memory of 1028	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe
PID 3232 wrote to memory of 1028	3232	8550ebb8f4f5b377df3a3492dbc08f63.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe
PID 1028 wrote to memory of 2464	1028	abb25203-459a-4074-98c1-d73b6e21907b.exe	AppLaunch.exe
PID 1028 wrote to memory of 2464	1028	abb25203-459a-4074-98c1-d73b6e21907b.exe	AppLaunch.exe
PID 1028 wrote to memory of 2464	1028	abb25203-459a-4074-98c1-d73b6e21907b.exe	AppLaunch.exe
PID 1028 wrote to memory of 2464	1028	abb25203-459a-4074-98c1-d73b6e21907b.exe	AppLaunch.exe
PID 1028 wrote to memory of 2464	1028	abb25203-459a-4074-98c1-d73b6e21907b.exe	AppLaunch.exe
PID 3976 wrote to memory of 1028	3976	WerFault.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe
PID 3976 wrote to memory of 1028	3976	WerFault.exe	abb25203-459a-4074-98c1-d73b6e21907b.exe

C:\Users\Admin\AppData\Local\Temp\8550ebb8f4f5b377df3a3492dbc08f63.exe
"C:\Users\Admin\AppData\Local\Temp\8550ebb8f4f5b377df3a3492dbc08f63.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\f1622089-76fe-41f0-87a7-7aee8c473850.exe
"C:\Users\Admin\AppData\Local\Temp\f1622089-76fe-41f0-87a7-7aee8c473850.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Users\Admin\AppData\Local\Temp\abb25203-459a-4074-98c1-d73b6e21907b.exe
"C:\Users\Admin\AppData\Local\Temp\abb25203-459a-4074-98c1-d73b6e21907b.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 380
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1028 -ip 1028
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abb25203-459a-4074-98c1-d73b6e21907b.exe
MD5
4f1c1dee549fe45bfc4d69f251c3bbfe

SHA1
2771a162d86f1658a37ad50b55e73c38ebf4459a

SHA256
20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75

SHA512
15b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581

Download Submit
C:\Users\Admin\AppData\Local\Temp\abb25203-459a-4074-98c1-d73b6e21907b.exe
MD5
4f1c1dee549fe45bfc4d69f251c3bbfe

SHA1
2771a162d86f1658a37ad50b55e73c38ebf4459a

SHA256
20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75

SHA512
15b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1622089-76fe-41f0-87a7-7aee8c473850.exe
MD5
1396d49010a266cc8d9daf2978289139

SHA1
08d4e8893415391b2a954ea601d4e9ffec1e03a5

SHA256
d617b5d11d26ed5b6671e2c6d85eb7c0e08b8e593edc113664c4af3824bcc054

SHA512
f8237d07937d83a3bb878ea7f7d4358ad9853de4d5444bda5fccbd1e6196540de5746eb6084663b5f85db066ac83ed9b79715c9db775b9510f6a29734ef675b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1622089-76fe-41f0-87a7-7aee8c473850.exe
MD5
1396d49010a266cc8d9daf2978289139

SHA1
08d4e8893415391b2a954ea601d4e9ffec1e03a5

SHA256
d617b5d11d26ed5b6671e2c6d85eb7c0e08b8e593edc113664c4af3824bcc054

SHA512
f8237d07937d83a3bb878ea7f7d4358ad9853de4d5444bda5fccbd1e6196540de5746eb6084663b5f85db066ac83ed9b79715c9db775b9510f6a29734ef675b0

Download Submit
memory/1028-182-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-184-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-179-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-180-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-191-0x000000000019F000-0x00000000001A0000-memory.dmp

Filesize
4KB

Download
memory/1028-188-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-187-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-186-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1028-185-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1028-181-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1028-183-0x0000000002570000-0x00000000025B1000-memory.dmp

Filesize
260KB

Download
memory/2464-199-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/2464-198-0x0000000005EA0000-0x00000000064B8000-memory.dmp

Filesize
6.1MB

Download
memory/2464-192-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2464-197-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2464-200-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/2464-214-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/2464-215-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/3232-149-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/3232-145-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download
memory/3232-131-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3232-132-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3232-133-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3232-134-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3232-135-0x0000000000880000-0x00000000008BB000-memory.dmp

Filesize
236KB

Download
memory/3232-136-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3232-138-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3232-139-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3232-137-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download
memory/3232-146-0x0000000000841000-0x000000000084C000-memory.dmp

Filesize
44KB

Download
memory/3232-147-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-148-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/3232-130-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3232-150-0x0000000002B90000-0x0000000002C22000-memory.dmp

Filesize
584KB

Download
memory/3232-151-0x0000000002C52000-0x0000000002C53000-memory.dmp

Filesize
4KB

Download
memory/3232-153-0x0000000002C54000-0x0000000002C55000-memory.dmp

Filesize
4KB

Download
memory/3232-152-0x0000000002C53000-0x0000000002C54000-memory.dmp

Filesize
4KB

Download
memory/4964-213-0x00000183A2430000-0x00000183A2434000-memory.dmp

Filesize
16KB

Download
memory/5116-171-0x0000000005292000-0x0000000005293000-memory.dmp

Filesize
4KB

Download
memory/5116-172-0x0000000005293000-0x0000000005294000-memory.dmp

Filesize
4KB

Download
memory/5116-175-0x0000000002B10000-0x0000000002BAC000-memory.dmp

Filesize
624KB

Download
memory/5116-174-0x0000000002550000-0x00000000025A0000-memory.dmp

Filesize
320KB

Download
memory/5116-170-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5116-158-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/5116-176-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/5116-156-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5116-173-0x0000000005294000-0x0000000005295000-memory.dmp

Filesize
4KB

Download
memory/5116-169-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/5116-167-0x00000000008A0000-0x00000000008CA000-memory.dmp

Filesize
168KB

Download
memory/5116-168-0x00000000008A1000-0x00000000008AC000-memory.dmp

Filesize
44KB

Download
memory/5116-166-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5116-157-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5116-165-0x0000000002480000-0x00000000024B9000-memory.dmp

Filesize
228KB

Download
memory/5116-159-0x00000000008A0000-0x00000000008CA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads