redline | 2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

General

Target

0b757d38d347d1f763f59ab7f0423ae8.exe
Size

406KB
MD5

0b757d38d347d1f763f59ab7f0423ae8
SHA1

fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577
SHA256

2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124
SHA512

0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Score

10^/10

redline x infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

X

C2

194.127.179.35:35180

Attributes

auth_value
76e43cff05002e5f6e3334fa7946e404

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3840-136-0x000000000041ADAE-mapping.dmp	family_redline
behavioral2/memory/3840-142-0x0000000001320000-0x0000000001340000-memory.dmp	family_redline
behavioral2/memory/3140-164-0x000000000041ADAE-mapping.dmp	family_redline
behavioral2/memory/4496-174-0x000000000041ADAE-mapping.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

WinRar Activator.exechromedrivers32.exechromedrivers32.exe

pid process

4844 WinRar Activator.exe
1648 chromedrivers32.exe
928 chromedrivers32.exe

pid	process
4844	WinRar Activator.exe
1648	chromedrivers32.exe
928	chromedrivers32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b757d38d347d1f763f59ab7f0423ae8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	0b757d38d347d1f763f59ab7f0423ae8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

0b757d38d347d1f763f59ab7f0423ae8.exechromedrivers32.exechromedrivers32.exe

description	pid	process	target process
PID 3192 set thread context of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 1648 set thread context of 3140	1648	chromedrivers32.exe	vbc.exe
PID 928 set thread context of 4496	928	chromedrivers32.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5056 schtasks.exe
944 schtasks.exe
1928 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

3840 vbc.exe
3140 vbc.exe
4496 vbc.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0b757d38d347d1f763f59ab7f0423ae8.exe

pid process

3192 0b757d38d347d1f763f59ab7f0423ae8.exe

pid	process
5056	schtasks.exe
944	schtasks.exe
1928	schtasks.exe

pid	process
3840	vbc.exe
3140	vbc.exe
4496	vbc.exe

pid	process
3192	0b757d38d347d1f763f59ab7f0423ae8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WinRar Activator.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4844	WinRar Activator.exe
Token: SeDebugPrivilege	3840	vbc.exe
Token: SeDebugPrivilege	3140	vbc.exe
Token: SeDebugPrivilege	4496	vbc.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

0b757d38d347d1f763f59ab7f0423ae8.execmd.exechromedrivers32.execmd.exechromedrivers32.execmd.exe

description	pid	process	target process
PID 3192 wrote to memory of 4376	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 3192 wrote to memory of 4376	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 4376 wrote to memory of 5056	4376	cmd.exe	schtasks.exe
PID 4376 wrote to memory of 5056	4376	cmd.exe	schtasks.exe
PID 3192 wrote to memory of 4248	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 3192 wrote to memory of 4248	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	cmd.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 3840	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	vbc.exe
PID 3192 wrote to memory of 4844	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	WinRar Activator.exe
PID 3192 wrote to memory of 4844	3192	0b757d38d347d1f763f59ab7f0423ae8.exe	WinRar Activator.exe
PID 1648 wrote to memory of 3124	1648	chromedrivers32.exe	cmd.exe
PID 1648 wrote to memory of 3124	1648	chromedrivers32.exe	cmd.exe
PID 3124 wrote to memory of 944	3124	cmd.exe	schtasks.exe
PID 3124 wrote to memory of 944	3124	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1832	1648	chromedrivers32.exe	cmd.exe
PID 1648 wrote to memory of 1832	1648	chromedrivers32.exe	cmd.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 1648 wrote to memory of 3140	1648	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4216	928	chromedrivers32.exe	cmd.exe
PID 928 wrote to memory of 4216	928	chromedrivers32.exe	cmd.exe
PID 4216 wrote to memory of 1928	4216	cmd.exe	schtasks.exe
PID 4216 wrote to memory of 1928	4216	cmd.exe	schtasks.exe
PID 928 wrote to memory of 1876	928	chromedrivers32.exe	cmd.exe
PID 928 wrote to memory of 1876	928	chromedrivers32.exe	cmd.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe
PID 928 wrote to memory of 4496	928	chromedrivers32.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe
"C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5056

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\0b757d38d347d1f763f59ab7f0423ae8.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"
2⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe
"C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
3⤵
- Creates scheduled task(s)
PID:944

C:\Windows\system32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"
2⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\chromedrivers32.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe" "C:\Users\Admin\AppData\Roaming\chromedrivers32.exe"
2⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chromedrivers32.exe.log
Filesize
859B

MD5
6e11a15fe4491ead2a94f64d3467be38

SHA1
9a8329fb71ddc89dae9aa174c0b44a1f646efd63

SHA256
087cf6355ae9fc71eea2493b30c6b10a6775f3dd68b2cb5e07fcc13461b74248

SHA512
6154e320e2556aef177fc5bfb4e5fe8fabe324af736b89db4db41e6dd51658f7f6a7d0f73c24dc6ccdc4edf14023f4a1ecd0908abac5b82cebd038a93b2fc106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
Filesize
2KB

MD5
c40dcb45840af9111f48eb9d55d7649e

SHA1
de2c2c9ada9711e8caf7122963ae83a343a4b71c

SHA256
9f5ecbc5028a388fcd8bc6c4974b81f9a8dec4bc30101df6f7d797ef71759d01

SHA512
fae4924fbfeb06234275187b866e43f83a888f2d13d83c3d17db0c54f2da054745b9a1e4883f84b1ed8faffdf50122f908c15576fc2df7daa76e156c898c8fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe
Filesize
259KB

MD5
f385414230d858b00cbe7ffe3daa5928

SHA1
04f24e4f0bab06e7d58fc39b328baf382dae9cff

SHA256
b9ef9b0ae62b70c0ee11f8ff8bc87e2a7b91c2ebbd46af1a29bc5b4119145335

SHA512
1f9ad4545b37f2953f1e0f9c9409cc960d7cf30d926c80fb58e92924566d20b3ecf7a971a93f998da105c5e8b36ff5a6b9de46d29a7accd0f96ed9d1c0efb8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRar Activator.exe
Filesize
259KB

MD5
f385414230d858b00cbe7ffe3daa5928

SHA1
04f24e4f0bab06e7d58fc39b328baf382dae9cff

SHA256
b9ef9b0ae62b70c0ee11f8ff8bc87e2a7b91c2ebbd46af1a29bc5b4119145335

SHA512
1f9ad4545b37f2953f1e0f9c9409cc960d7cf30d926c80fb58e92924566d20b3ecf7a971a93f998da105c5e8b36ff5a6b9de46d29a7accd0f96ed9d1c0efb8c2

Download Submit
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
C:\Users\Admin\AppData\Roaming\chromedrivers32.exe
Filesize
406KB

MD5
0b757d38d347d1f763f59ab7f0423ae8

SHA1
fcf1b343ab5c7f9ac72fc6c85b3c478c5875f577

SHA256
2105710d19c34b91be3a37c24ab4a4835dcdc606c0f2d8b487beb0d24e336124

SHA512
0b9661590897256242ddc4ea43d069999e1ddca9d7fed671a6aa31a60f0da4bd820b8bb6c2502fa1b7979dea932375e2363e882e31379935751af1cdf2ce7d94

Download Submit
memory/928-170-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/928-175-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/944-160-0x0000000000000000-mapping.dmp

Download
memory/1648-166-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-162-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/1832-161-0x0000000000000000-mapping.dmp

Download
memory/1876-172-0x0000000000000000-mapping.dmp

Download
memory/1928-171-0x0000000000000000-mapping.dmp

Download
memory/3124-159-0x0000000000000000-mapping.dmp

Download
memory/3140-164-0x000000000041ADAE-mapping.dmp

Download
memory/3192-141-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-130-0x00000000009D0000-0x0000000000A38000-memory.dmp

Filesize
416KB

Download
memory/3192-134-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/3840-144-0x0000000005E50000-0x0000000006468000-memory.dmp

Filesize
6.1MB

Download
memory/3840-136-0x000000000041ADAE-mapping.dmp

Download
memory/3840-152-0x0000000006910000-0x0000000006976000-memory.dmp

Filesize
408KB

Download
memory/3840-148-0x0000000006A20000-0x0000000006FC4000-memory.dmp

Filesize
5.6MB

Download
memory/3840-154-0x00000000075A0000-0x0000000007762000-memory.dmp

Filesize
1.8MB

Download
memory/3840-155-0x00000000083B0000-0x00000000088DC000-memory.dmp

Filesize
5.2MB

Download
memory/3840-156-0x0000000007870000-0x00000000078C0000-memory.dmp

Filesize
320KB

Download
memory/3840-147-0x0000000005950000-0x000000000598C000-memory.dmp

Filesize
240KB

Download
memory/3840-146-0x0000000005A20000-0x0000000005B2A000-memory.dmp

Filesize
1.0MB

Download
memory/3840-145-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/3840-149-0x0000000006470000-0x0000000006502000-memory.dmp

Filesize
584KB

Download
memory/3840-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3840-151-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/3840-150-0x0000000006510000-0x0000000006586000-memory.dmp

Filesize
472KB

Download
memory/3840-142-0x0000000001320000-0x0000000001340000-memory.dmp

Filesize
128KB

Download
memory/4216-169-0x0000000000000000-mapping.dmp

Download
memory/4248-133-0x0000000000000000-mapping.dmp

Download
memory/4376-131-0x0000000000000000-mapping.dmp

Download
memory/4496-174-0x000000000041ADAE-mapping.dmp

Download
memory/4844-137-0x0000000000000000-mapping.dmp

Download
memory/4844-140-0x0000022D9E0A0000-0x0000022D9E0E6000-memory.dmp

Filesize
280KB

Download
memory/4844-143-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/4844-153-0x00007FFD42800000-0x00007FFD432C1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads