redline | 148607dfd0bbe0d5b58268c6bd252a2cdbd2271e4f1b43138eb7de47eb51bf65

Analysis

max time kernel
144s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-04-2022 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d23377638cab0ee29ab55a5312279c32.exe
Size

1.9MB
MD5

d23377638cab0ee29ab55a5312279c32
SHA1

c97a094fb56509a79cdec0a56a5099d77aadd7a5
SHA256

148607dfd0bbe0d5b58268c6bd252a2cdbd2271e4f1b43138eb7de47eb51bf65
SHA512

e4eddf8407bb96b1916e6a32376ec6950dfa822d36519ad8cab03ac57a391bd49d61b003ce261eccabba0bbf73788e77739bf8426b95a6adc306a1311f8a7004

Score

10^/10

redline @ansdvsvsvd infostealer spyware vmprotect

Malware Config

Extracted

Family

redline

Botnet

@ansdvsvsvd

46.8.220.88:65531

Attributes

auth_value
d7b874c6650abbcb219b4f56f4676fee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3284-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fl.exeservices32.exesihost32.exe

pid process

4320 fl.exe
4920 services32.exe
792 sihost32.exe

pid	process
4320	fl.exe
4920	services32.exe
792	sihost32.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fl.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\fl.exe	vmprotect
behavioral2/memory/4320-152-0x0000000000900000-0x000000000111A000-memory.dmp	vmprotect
C:\Windows\System32\services32.exe	vmprotect
C:\Windows\system32\services32.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	services32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 3 IoCs

Processes:

fl.exeservices32.exe

description	ioc	process
File created	C:\Windows\system32\services32.exe	fl.exe
File opened for modification	C:\Windows\system32\services32.exe	fl.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	services32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d23377638cab0ee29ab55a5312279c32.exe

description pid process target process

PID 2368 set thread context of 3284 2368 d23377638cab0ee29ab55a5312279c32.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4072 schtasks.exe

description	pid	process	target process
PID 2368 set thread context of 3284	2368	d23377638cab0ee29ab55a5312279c32.exe	AppLaunch.exe

pid	process
4072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

AppLaunch.exefl.exepowershell.exepowershell.exeservices32.exepowershell.exepowershell.exe

pid	process
3284	AppLaunch.exe
4320	fl.exe
2000	powershell.exe
2000	powershell.exe
3512	powershell.exe
3512	powershell.exe
4920	services32.exe
4920	services32.exe
4988	powershell.exe
4988	powershell.exe
1588	powershell.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AppLaunch.exefl.exepowershell.exepowershell.exeservices32.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3284	AppLaunch.exe
Token: SeDebugPrivilege	4320	fl.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4920	services32.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

d23377638cab0ee29ab55a5312279c32.exeAppLaunch.exefl.execmd.execmd.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 3284	2368	d23377638cab0ee29ab55a5312279c32.exe	AppLaunch.exe
PID 2368 wrote to memory of 3284	2368	d23377638cab0ee29ab55a5312279c32.exe	AppLaunch.exe
PID 2368 wrote to memory of 3284	2368	d23377638cab0ee29ab55a5312279c32.exe	AppLaunch.exe
PID 2368 wrote to memory of 3284	2368	d23377638cab0ee29ab55a5312279c32.exe	AppLaunch.exe
PID 2368 wrote to memory of 3284	2368	d23377638cab0ee29ab55a5312279c32.exe	AppLaunch.exe
PID 3284 wrote to memory of 4320	3284	AppLaunch.exe	fl.exe
PID 3284 wrote to memory of 4320	3284	AppLaunch.exe	fl.exe
PID 4320 wrote to memory of 1568	4320	fl.exe	cmd.exe
PID 4320 wrote to memory of 1568	4320	fl.exe	cmd.exe
PID 1568 wrote to memory of 2000	1568	cmd.exe	powershell.exe
PID 1568 wrote to memory of 2000	1568	cmd.exe	powershell.exe
PID 4320 wrote to memory of 3160	4320	fl.exe	cmd.exe
PID 4320 wrote to memory of 3160	4320	fl.exe	cmd.exe
PID 3160 wrote to memory of 4072	3160	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 4072	3160	cmd.exe	schtasks.exe
PID 1568 wrote to memory of 3512	1568	cmd.exe	powershell.exe
PID 1568 wrote to memory of 3512	1568	cmd.exe	powershell.exe
PID 4320 wrote to memory of 3796	4320	fl.exe	cmd.exe
PID 4320 wrote to memory of 3796	4320	fl.exe	cmd.exe
PID 3796 wrote to memory of 4920	3796	cmd.exe	services32.exe
PID 3796 wrote to memory of 4920	3796	cmd.exe	services32.exe
PID 4920 wrote to memory of 2056	4920	services32.exe	cmd.exe
PID 4920 wrote to memory of 2056	4920	services32.exe	cmd.exe
PID 2056 wrote to memory of 4988	2056	cmd.exe	powershell.exe
PID 2056 wrote to memory of 4988	2056	cmd.exe	powershell.exe
PID 4920 wrote to memory of 792	4920	services32.exe	sihost32.exe
PID 4920 wrote to memory of 792	4920	services32.exe	sihost32.exe
PID 2056 wrote to memory of 1588	2056	cmd.exe	powershell.exe
PID 2056 wrote to memory of 1588	2056	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d23377638cab0ee29ab55a5312279c32.exe
"C:\Users\Admin\AppData\Local\Temp\d23377638cab0ee29ab55a5312279c32.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Creates scheduled task(s)
PID:4072

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
6⤵
- Executes dropped EXE
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
4.1MB

MD5
316f80a8407ffa9e69852ec4d1bf90e9

SHA1
1e3aa2295857b33b515fb1d816f5f13cefa89c1f

SHA256
86f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89

SHA512
c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
4.1MB

MD5
316f80a8407ffa9e69852ec4d1bf90e9

SHA1
1e3aa2295857b33b515fb1d816f5f13cefa89c1f

SHA256
86f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89

SHA512
c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
Filesize
9KB

MD5
ce15357c848de5a619508a9dba6de45e

SHA1
e996170fa8164b8703939af43214ae1531d7075c

SHA256
1d7802b0933014148b105628cbe81f0b997e7dc28b4713e0e225ae84d9ced838

SHA512
9a2639db9b62f7bed3740e010e0399fa855693553acbadcd66da180c0e9ddd840886279df279f496483e68edeaae87e78477dd7331fb7111378acb1b8c2f6f2f

Download Submit
C:\Windows\System32\services32.exe
Filesize
4.1MB

MD5
316f80a8407ffa9e69852ec4d1bf90e9

SHA1
1e3aa2295857b33b515fb1d816f5f13cefa89c1f

SHA256
86f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89

SHA512
c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
Filesize
9KB

MD5
ce15357c848de5a619508a9dba6de45e

SHA1
e996170fa8164b8703939af43214ae1531d7075c

SHA256
1d7802b0933014148b105628cbe81f0b997e7dc28b4713e0e225ae84d9ced838

SHA512
9a2639db9b62f7bed3740e010e0399fa855693553acbadcd66da180c0e9ddd840886279df279f496483e68edeaae87e78477dd7331fb7111378acb1b8c2f6f2f

Download Submit
C:\Windows\system32\services32.exe
Filesize
4.1MB

MD5
316f80a8407ffa9e69852ec4d1bf90e9

SHA1
1e3aa2295857b33b515fb1d816f5f13cefa89c1f

SHA256
86f95e3bf14fe58390b93000122a822857b3c7d54e2d10a725c2b93e69ebba89

SHA512
c5c23bfffc84f2af3c736c7439f0294625302de27afde7a5f20260d0ff29654c0b61b257b0173d7b3a1f26328363b1ac95e664757bcc944247448c04c10e9e6a

Download Submit
memory/792-190-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/792-184-0x0000000000000000-mapping.dmp

Download
memory/792-187-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/792-194-0x000000001BB30000-0x000000001BB32000-memory.dmp

Filesize
8KB

Download
memory/1568-157-0x0000000000000000-mapping.dmp

Download
memory/1588-196-0x0000027FB9C46000-0x0000027FB9C48000-memory.dmp

Filesize
8KB

Download
memory/1588-189-0x0000000000000000-mapping.dmp

Download
memory/1588-191-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/1588-192-0x0000027FB9C40000-0x0000027FB9C42000-memory.dmp

Filesize
8KB

Download
memory/1588-193-0x0000027FB9C43000-0x0000027FB9C45000-memory.dmp

Filesize
8KB

Download
memory/2000-166-0x000002CD2C836000-0x000002CD2C838000-memory.dmp

Filesize
8KB

Download
memory/2000-158-0x0000000000000000-mapping.dmp

Download
memory/2000-159-0x000002CD2D660000-0x000002CD2D682000-memory.dmp

Filesize
136KB

Download
memory/2000-163-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2000-165-0x000002CD2C833000-0x000002CD2C835000-memory.dmp

Filesize
8KB

Download
memory/2000-164-0x000002CD2C830000-0x000002CD2C832000-memory.dmp

Filesize
8KB

Download
memory/2056-181-0x0000000000000000-mapping.dmp

Download
memory/2368-131-0x0000000000970000-0x0000000000B52000-memory.dmp

Filesize
1.9MB

Download
memory/3160-160-0x0000000000000000-mapping.dmp

Download
memory/3284-148-0x0000000007DD0000-0x00000000082FC000-memory.dmp

Filesize
5.2MB

Download
memory/3284-142-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/3284-132-0x0000000000000000-mapping.dmp

Download
memory/3284-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3284-146-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/3284-147-0x00000000070C0000-0x0000000007282000-memory.dmp

Filesize
1.8MB

Download
memory/3284-144-0x00000000061F0000-0x0000000006282000-memory.dmp

Filesize
584KB

Download
memory/3284-143-0x0000000006090000-0x0000000006106000-memory.dmp

Filesize
472KB

Download
memory/3284-145-0x0000000006840000-0x0000000006DE4000-memory.dmp

Filesize
5.6MB

Download
memory/3284-138-0x00000000057B0000-0x0000000005DC8000-memory.dmp

Filesize
6.1MB

Download
memory/3284-139-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/3284-140-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/3284-141-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/3512-167-0x0000000000000000-mapping.dmp

Download
memory/3512-173-0x000001BB40C16000-0x000001BB40C18000-memory.dmp

Filesize
8KB

Download
memory/3512-172-0x000001BB40C13000-0x000001BB40C15000-memory.dmp

Filesize
8KB

Download
memory/3512-171-0x000001BB40C10000-0x000001BB40C12000-memory.dmp

Filesize
8KB

Download
memory/3512-170-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-174-0x0000000000000000-mapping.dmp

Download
memory/4072-161-0x0000000000000000-mapping.dmp

Download
memory/4320-149-0x0000000000000000-mapping.dmp

Download
memory/4320-152-0x0000000000900000-0x000000000111A000-memory.dmp

Filesize
8.1MB

Download
memory/4320-153-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4320-156-0x0000000001940000-0x0000000001952000-memory.dmp

Filesize
72KB

Download
memory/4320-162-0x000000001DF30000-0x000000001DF32000-memory.dmp

Filesize
8KB

Download
memory/4920-178-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-175-0x0000000000000000-mapping.dmp

Download
memory/4988-188-0x00007FFBF6400000-0x00007FFBF6EC1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-182-0x0000000000000000-mapping.dmp

Download