redline | 05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1

General

Target

a76608f42563198c86f4a7f10ea910cc.exe
Size

374KB
MD5

a76608f42563198c86f4a7f10ea910cc
SHA1

8ea79e0e0523e9b7d1993ab08408d3b369c2a802
SHA256

05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
SHA512

0bad64c511d78964da9397813876c49102cd34031dbdbd61304cef33136c82b3830bee8623ed7f4dc067f0b6c90956d5b04843c64b218458ad8a3cdf44378091

Score

10^/10

redline ruzkiunikalno discovery evasion infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

redline

Botnet

RuzkiUNIKALNO

C2

193.233.48.58:38989

Attributes

auth_value
c504b04cfbdd4bf85ce6195bcb37fba6

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-63-0x00000000009C0000-0x00000000009F4000-memory.dmp	family_redline
behavioral1/memory/1068-67-0x00000000009F0000-0x0000000000A24000-memory.dmp	family_redline

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

rrun.exe.exe

pid process

1068 rrun.exe.exe

pid	process
1068	rrun.exe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a76608f42563198c86f4a7f10ea910cc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation	a76608f42563198c86f4a7f10ea910cc.exe

Loads dropped DLL 2 IoCs

Processes:

a76608f42563198c86f4a7f10ea910cc.exe

pid process

1092 a76608f42563198c86f4a7f10ea910cc.exe
1092 a76608f42563198c86f4a7f10ea910cc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ipinfo.io
17 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1092	a76608f42563198c86f4a7f10ea910cc.exe
1092	a76608f42563198c86f4a7f10ea910cc.exe

flow	ioc
18	ipinfo.io
17	ipinfo.io

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a76608f42563198c86f4a7f10ea910cc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	a76608f42563198c86f4a7f10ea910cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	a76608f42563198c86f4a7f10ea910cc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a76608f42563198c86f4a7f10ea910cc.exe

pid process

1092 a76608f42563198c86f4a7f10ea910cc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rrun.exe.exe

description pid process

Token: SeDebugPrivilege 1068 rrun.exe.exe

pid	process
1092	a76608f42563198c86f4a7f10ea910cc.exe

description	pid	process
Token: SeDebugPrivilege	1068	rrun.exe.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a76608f42563198c86f4a7f10ea910cc.exe

description	pid	process	target process
PID 1092 wrote to memory of 1068	1092	a76608f42563198c86f4a7f10ea910cc.exe	rrun.exe.exe
PID 1092 wrote to memory of 1068	1092	a76608f42563198c86f4a7f10ea910cc.exe	rrun.exe.exe
PID 1092 wrote to memory of 1068	1092	a76608f42563198c86f4a7f10ea910cc.exe	rrun.exe.exe
PID 1092 wrote to memory of 1068	1092	a76608f42563198c86f4a7f10ea910cc.exe	rrun.exe.exe

C:\Users\Admin\AppData\Local\Temp\a76608f42563198c86f4a7f10ea910cc.exe
"C:\Users\Admin\AppData\Local\Temp\a76608f42563198c86f4a7f10ea910cc.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\Pictures\Adobe Films\rrun.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\rrun.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\rrun.exe.exe
Filesize
415KB

MD5
77f3685864f058d9bd47298fb2741e04

SHA1
18b02934b2c22fb8786fdd03fba266a19bbaffd3

SHA256
0556d888fbe5dbc66e2ff5acf9e82c9d971bfb5983a9fb9786b1956030506dc8

SHA512
dd8cae914255e94c677588fda0409e3bb49db2451f7a8dfbccb5ac927a3ac6c8d5e1c8112d557a2ef196419335862020a8664ed45562137bd941b90f0709fb30

Download Submit
\Users\Admin\Pictures\Adobe Films\rrun.exe.exe
Filesize
415KB

MD5
77f3685864f058d9bd47298fb2741e04

SHA1
18b02934b2c22fb8786fdd03fba266a19bbaffd3

SHA256
0556d888fbe5dbc66e2ff5acf9e82c9d971bfb5983a9fb9786b1956030506dc8

SHA512
dd8cae914255e94c677588fda0409e3bb49db2451f7a8dfbccb5ac927a3ac6c8d5e1c8112d557a2ef196419335862020a8664ed45562137bd941b90f0709fb30

Download Submit
\Users\Admin\Pictures\Adobe Films\rrun.exe.exe
Filesize
415KB

MD5
77f3685864f058d9bd47298fb2741e04

SHA1
18b02934b2c22fb8786fdd03fba266a19bbaffd3

SHA256
0556d888fbe5dbc66e2ff5acf9e82c9d971bfb5983a9fb9786b1956030506dc8

SHA512
dd8cae914255e94c677588fda0409e3bb49db2451f7a8dfbccb5ac927a3ac6c8d5e1c8112d557a2ef196419335862020a8664ed45562137bd941b90f0709fb30

Download Submit
memory/1068-63-0x00000000009C0000-0x00000000009F4000-memory.dmp

Filesize
208KB

Download
memory/1068-61-0x0000000000000000-mapping.dmp

Download
memory/1068-65-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1068-64-0x0000000000AAE000-0x0000000000ADA000-memory.dmp

Filesize
176KB

Download
memory/1068-66-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/1068-67-0x00000000009F0000-0x0000000000A24000-memory.dmp

Filesize
208KB

Download
memory/1092-58-0x0000000005FD0000-0x0000000006190000-memory.dmp

Filesize
1.8MB

Download
memory/1092-57-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/1092-55-0x0000000002D3E000-0x0000000002D5A000-memory.dmp

Filesize
112KB

Download
memory/1092-56-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/1092-54-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads