redline | ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950

General

Target

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe
Size

6.4MB
MD5

1008944bf8de596e9d032ab66a46caa7
SHA1

cc411e0c3b2a7ef3e02618bdab39d9a023f0569d
SHA256

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950
SHA512

67e9d1d78fa1a32b53f59c3a21846cb125b5f9d79acd56eb8357cd04aec754418a430b11287f106177439c49e9df08e72d5fab2e2ff1b7927cf2c48934ca393d

Score

10^/10

redline evasion infostealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1992-138-0x00000000004B0000-0x0000000000C70000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 3 IoCs

Processes:

proliv041.exeUnderdress.exeUnseduceability.exe

pid process

1992 proliv041.exe
1316 Underdress.exe
1320 Unseduceability.exe

pid	process
1992	proliv041.exe
1316	Underdress.exe
1320	Unseduceability.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

proliv041.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	proliv041.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	proliv041.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Underdress.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Underdress.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\proliv041.exe	themida
behavioral2/memory/1992-138-0x00000000004B0000-0x0000000000C70000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

proliv041.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA proliv041.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

proliv041.exe

pid process

1992 proliv041.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proliv041.exe

pid	process
1992	proliv041.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

proliv041.exe

pid process

1992 proliv041.exe
1992 proliv041.exe

pid	process
1992	proliv041.exe
1992	proliv041.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Unseduceability.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	1320	Unseduceability.exe
Token: SeShutdownPrivilege	4740	svchost.exe
Token: SeCreatePagefilePrivilege	4740	svchost.exe
Token: SeShutdownPrivilege	4740	svchost.exe
Token: SeCreatePagefilePrivilege	4740	svchost.exe
Token: SeShutdownPrivilege	4740	svchost.exe
Token: SeCreatePagefilePrivilege	4740	svchost.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe
Token: SeBackupPrivilege	1912	TiWorker.exe
Token: SeRestorePrivilege	1912	TiWorker.exe
Token: SeSecurityPrivilege	1912	TiWorker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exeUnderdress.exe

description	pid	process	target process
PID 3048 wrote to memory of 1992	3048	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 3048 wrote to memory of 1992	3048	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 3048 wrote to memory of 1992	3048	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	proliv041.exe
PID 3048 wrote to memory of 1316	3048	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 3048 wrote to memory of 1316	3048	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 3048 wrote to memory of 1316	3048	ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe	Underdress.exe
PID 1316 wrote to memory of 1320	1316	Underdress.exe	Unseduceability.exe
PID 1316 wrote to memory of 1320	1316	Underdress.exe	Unseduceability.exe

C:\Users\Admin\AppData\Local\Temp\ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe
"C:\Users\Admin\AppData\Local\Temp\ac6f90ff2e5bddd26a0e1abdf9d35b5533d0d09727a0fd1c28da4bfec2bda950.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Roaming\proliv041.exe
  C:\Users\Admin\AppData\Roaming\proliv041.exe
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Users\Admin\AppData\Roaming\Underdress.exe
  C:\Users\Admin\AppData\Roaming\Underdress.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe
    "C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe

MD5
91f6b00edae795d78097a46fb95a9a6e

SHA1
cc1fdf6d7fb9f9714c7dc514403b9fbf146f9ecb

SHA256
06dff5df2be2ce59bdec091b34a18ef78073087fd4a1682efd7744ffa0d4f5b8

SHA512
7853f2127531cdb0aee922b80a65233f2b90bed70082df89a01baaa81f331ee96fb0ff0c4112742771373a9ec14e0953f0e2caa3db0cdba3578489901ba9a975

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Underdress.exe

MD5
98f60434f7be5433b37cd47ec5029537

SHA1
1bb8e44edde75b6f346d8997106efe57eba9e3ef

SHA256
c6e318d3262b78179f3f17c4cbf60405dc95634e6100199439fa21bba6216766

SHA512
df547958f85c0ad26c5636b4e6bbbb7ca198d5cc3e950f04fa0f5dc28aacdb50d03491adc098ca5cf11a819be9a8038726dad5ce7939fd007fcb550581094ac7

Download Submit
C:\Users\Admin\AppData\Roaming\proliv041.exe

MD5
95c9346936c5c633e7921950127049d6

SHA1
73f85b8663892657610d581e9529bd6e9342c0a8

SHA256
dccdfc1c0e6a10d9a3dd9ef2d07097f754dd4781d942ddebd9abed9559f8677d

SHA512
5a698d8ae664321a0ae006d103d41c89efdbba60edda1e752fc292c4173688c2855cb2dc88a2c236499339dee70b09cfc620c2f7fbb0330dcf2eff9f0a502866

Download Submit
memory/1320-157-0x000002257B460000-0x000002257B472000-memory.dmp

Filesize
72KB

Download
memory/1320-161-0x00007FFF55A00000-0x00007FFF55CC9000-memory.dmp

Filesize
2.8MB

Download
memory/1320-166-0x00007FFF562F1000-0x00007FFF56358000-memory.dmp

Filesize
412KB

Download
memory/1320-165-0x00007FFF55A01000-0x00007FFF55B13000-memory.dmp

Filesize
1.1MB

Download
memory/1320-142-0x00007FFF37AD3000-0x00007FFF37AD5000-memory.dmp

Filesize
8KB

Download
memory/1320-164-0x00007FFF563B1000-0x00007FFF56430000-memory.dmp

Filesize
508KB

Download
memory/1320-163-0x00007FFF57D91000-0x00007FFF57EAA000-memory.dmp

Filesize
1.1MB

Download
memory/1320-145-0x000002255EF80000-0x000002255F2E8000-memory.dmp

Filesize
3.4MB

Download
memory/1320-162-0x00007FFF562F0000-0x00007FFF5639C000-memory.dmp

Filesize
688KB

Download
memory/1320-156-0x0000022560E05000-0x0000022560E07000-memory.dmp

Filesize
8KB

Download
memory/1320-160-0x00007FFF563B0000-0x00007FFF5646E000-memory.dmp

Filesize
760KB

Download
memory/1320-149-0x0000022560F40000-0x0000022560F5A000-memory.dmp

Filesize
104KB

Download
memory/1320-150-0x0000022560E00000-0x0000022560E02000-memory.dmp

Filesize
8KB

Download
memory/1320-152-0x0000022560E04000-0x0000022560E05000-memory.dmp

Filesize
4KB

Download
memory/1320-151-0x0000022560E02000-0x0000022560E04000-memory.dmp

Filesize
8KB

Download
memory/1320-159-0x00007FFF57D90000-0x00007FFF57F85000-memory.dmp

Filesize
2.0MB

Download
memory/1320-158-0x000002257D260000-0x000002257D72C000-memory.dmp

Filesize
4.8MB

Download
memory/1992-146-0x0000000005A80000-0x0000000005B8A000-memory.dmp

Filesize
1.0MB

Download
memory/1992-133-0x00000000755E0000-0x00000000755E1000-memory.dmp

Filesize
4KB

Download
memory/1992-148-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/1992-147-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/1992-138-0x00000000004B0000-0x0000000000C70000-memory.dmp

Filesize
7.8MB

Download
memory/1992-144-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/1992-143-0x0000000005F90000-0x00000000065A8000-memory.dmp

Filesize
6.1MB

Download
memory/1992-141-0x0000000073B6E000-0x0000000073B6F000-memory.dmp

Filesize
4KB

Download
memory/1992-134-0x0000000077274000-0x0000000077276000-memory.dmp

Filesize
8KB

Download
memory/4740-155-0x0000019AC9460000-0x0000019AC9464000-memory.dmp

Filesize
16KB

Download
memory/4740-154-0x0000019AC6D80000-0x0000019AC6D90000-memory.dmp

Filesize
64KB

Download
memory/4740-153-0x0000019AC6D20000-0x0000019AC6D30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads