redline | 8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43

General

Target

1_KpCGvNj.exe
Size

250KB
MD5

2f84afead84a3699cb870693b05c308c
SHA1

f7a22058ca233ad6685af822a209598b6413b5d7
SHA256

8eaf681b745ba342b3c952210ea78b6db1cf699954021ece171f71dbd9f8ac43
SHA512

fb0f7aa35c5e6820d347aae549e7e77052e7c1173f4d1c65d1aca9a4a53463b6a2fdf25da1b58a638d73f30ffbaaf60c7f7120e024548c8b099e769465c5a247

Score

10^/10

redline 111 infostealer

Malware Config

Extracted

Family

redline

Botnet

111

C2

188.68.205.12:20861

Attributes

auth_value
7160caade6584e8f8e67bbb8a6565985

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000021e3c-128.dat	family_redline
behavioral2/files/0x0007000000021e3c-130.dat	family_redline
behavioral2/memory/3592-133-0x0000000000540000-0x0000000000560000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3140	yuMBYoKlosa.exe
3592	ZH0OUCCaah2.exe
2884	5d0aad9e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	1_KpCGvNj.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	checkip.amazonaws.com
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4580	2884	WerFault.exe	93

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1988	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	yuMBYoKlosa.exe
Token: SeDebugPrivilege	2884	5d0aad9e.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 3140	4812	1_KpCGvNj.exe	82
PID 4812 wrote to memory of 3140	4812	1_KpCGvNj.exe	82
PID 4812 wrote to memory of 3592	4812	1_KpCGvNj.exe	83
PID 4812 wrote to memory of 3592	4812	1_KpCGvNj.exe	83
PID 4812 wrote to memory of 3592	4812	1_KpCGvNj.exe	83
PID 3140 wrote to memory of 216	3140	yuMBYoKlosa.exe	89
PID 3140 wrote to memory of 216	3140	yuMBYoKlosa.exe	89
PID 216 wrote to memory of 4368	216	cmd.exe	91
PID 216 wrote to memory of 4368	216	cmd.exe	91
PID 216 wrote to memory of 1988	216	cmd.exe	90
PID 216 wrote to memory of 1988	216	cmd.exe	90
PID 216 wrote to memory of 2884	216	cmd.exe	93
PID 216 wrote to memory of 2884	216	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\1_KpCGvNj.exe
"C:\Users\Admin\AppData\Local\Temp\1_KpCGvNj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Public\yuMBYoKlosa.exe
  "C:\Users\Public\yuMBYoKlosa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp95BD.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1988
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Graphics Status v3.7.1"
      4⤵
      PID:4368
  - - C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe
      "C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2884
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2884 -s 1632
        5⤵
        Program crash
        
        PID:4580
- C:\Users\Public\ZH0OUCCaah2.exe
  "C:\Users\Public\ZH0OUCCaah2.exe"
  2⤵
  - Executes dropped EXE
  PID:3592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2884 -ip 2884
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe

Filesize
20.1MB

MD5
0ef5faac46772093922b5d5b5f8561f6

SHA1
e8b22ef5d62c92920c365467f5afbde205cf6b3f

SHA256
4c8d20d2dc48579bdbdea5529f7fd44ca18509d39bdf1ac4c90cfe2a8de48a6d

SHA512
d3c0ebec0d84544369188fedf22cfb4f7cf9652423eaaa407ae5981f1dc65755fd28d2c852c97ee331299afdef66af901ba83e97d5ab68db11434c9b486cfe4c

Download Submit
C:\ProgramData\Graphics Status v3.7.1\5d0aad9e.exe

Filesize
20.1MB

MD5
0ef5faac46772093922b5d5b5f8561f6

SHA1
e8b22ef5d62c92920c365467f5afbde205cf6b3f

SHA256
4c8d20d2dc48579bdbdea5529f7fd44ca18509d39bdf1ac4c90cfe2a8de48a6d

SHA512
d3c0ebec0d84544369188fedf22cfb4f7cf9652423eaaa407ae5981f1dc65755fd28d2c852c97ee331299afdef66af901ba83e97d5ab68db11434c9b486cfe4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95BD.tmp.bat

Filesize
346B

MD5
044e001fa29d001d647a8f8dc3d0e07e

SHA1
6843806005d1661a57ffc42af40a11b1c5f5bd5e

SHA256
444def0edb89d307860ccbfe048cc71ae10595eedf83a480eee89154d9c6c878

SHA512
4ca236c9b09e3a56ea9ab3952cc853b421ef8dea8b89229181a6e48dc37a41db56a89a9e4057291c3ca8648b2d2a980564fa1f83411a9943ba9e5498639ab88f

Download Submit
C:\Users\Public\ZH0OUCCaah2.exe

Filesize
102KB

MD5
00221a6351e7426f7e88c157373f9b80

SHA1
198c2862a7fe3f2e0ec0913cc877bdd5fb7f11c4

SHA256
9ff2e6275d3d9e43de22d1acce77cb536cda79b86f6605a73312110b0e74e78b

SHA512
15932947c2f5e312b2467efc9ec2954fec49d1a32f3f3a8932ce5414a62c9030faa8bf94544df7474dca713ce243813ae9e263f7a8030d41a2e0613f20bb1318

Download Submit
C:\Users\Public\ZH0OUCCaah2.exe

Filesize
102KB

MD5
00221a6351e7426f7e88c157373f9b80

SHA1
198c2862a7fe3f2e0ec0913cc877bdd5fb7f11c4

SHA256
9ff2e6275d3d9e43de22d1acce77cb536cda79b86f6605a73312110b0e74e78b

SHA512
15932947c2f5e312b2467efc9ec2954fec49d1a32f3f3a8932ce5414a62c9030faa8bf94544df7474dca713ce243813ae9e263f7a8030d41a2e0613f20bb1318

Download Submit
C:\Users\Public\yuMBYoKlosa.exe

Filesize
42KB

MD5
c523d423234494eeb7b60a892d7a4bea

SHA1
db992908237ee2ab5c07f4362b9a29516ac09a5d

SHA256
98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3

SHA512
0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec

Download Submit
C:\Users\Public\yuMBYoKlosa.exe

Filesize
42KB

MD5
c523d423234494eeb7b60a892d7a4bea

SHA1
db992908237ee2ab5c07f4362b9a29516ac09a5d

SHA256
98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3

SHA512
0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec

Download Submit
memory/2884-145-0x00007FFD37D60000-0x00007FFD38821000-memory.dmp

Filesize
10.8MB

Download
memory/2884-146-0x000000001BBC0000-0x000000001BBC2000-memory.dmp

Filesize
8KB

Download
memory/3140-129-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/3140-132-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download
memory/3140-131-0x00007FFD37D60000-0x00007FFD38821000-memory.dmp

Filesize
10.8MB

Download
memory/3592-134-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/3592-137-0x0000000004F30000-0x0000000004F6C000-memory.dmp

Filesize
240KB

Download
memory/3592-136-0x0000000005000000-0x000000000510A000-memory.dmp

Filesize
1.0MB

Download
memory/3592-135-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/3592-133-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing