redline | 37926c19118bb775fdc7e1ed9198ad5c28a9d3ebf7fbb8f3bc9c59915f03c7b6

General

Target

jgadfgadfgadfgadfg.exe
Size

86KB
MD5

ad8364cf205c83121bc0a814e757cafe
SHA1

e9e8f645e34f37f88ea81f9a58a80e215a0b5ce6
SHA256

37926c19118bb775fdc7e1ed9198ad5c28a9d3ebf7fbb8f3bc9c59915f03c7b6
SHA512

49fc7c62cf19c6e9026d2654ca587b3f80970a6c19b2729139f30da12c7acd9c0c14334d3e575b206bd9e56e46bb11009259111da688df08a3239c9889995cb8

Score

10^/10

redline cheats discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

cheats

C2

5.249.162.225:16731

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe	family_redline
behavioral1/memory/1680-60-0x0000000000BA0000-0x0000000000BBE000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

Okjzyqowxr.exe

pid process

1680 Okjzyqowxr.exe
Loads dropped DLL 1 IoCs

Processes:

jgadfgadfgadfgadfg.exe

pid process

1092 jgadfgadfgadfgadfg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1680	Okjzyqowxr.exe

pid	process
1092	jgadfgadfgadfgadfg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Okjzyqowxr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Okjzyqowxr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Okjzyqowxr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Okjzyqowxr.exe

pid process

1680 Okjzyqowxr.exe
1680 Okjzyqowxr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Okjzyqowxr.exe

description pid process

Token: SeDebugPrivilege 1680 Okjzyqowxr.exe

pid	process
1680	Okjzyqowxr.exe
1680	Okjzyqowxr.exe

description	pid	process
Token: SeDebugPrivilege	1680	Okjzyqowxr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

jgadfgadfgadfgadfg.exe

description	pid	process	target process
PID 1092 wrote to memory of 1680	1092	jgadfgadfgadfgadfg.exe	Okjzyqowxr.exe
PID 1092 wrote to memory of 1680	1092	jgadfgadfgadfgadfg.exe	Okjzyqowxr.exe
PID 1092 wrote to memory of 1680	1092	jgadfgadfgadfgadfg.exe	Okjzyqowxr.exe
PID 1092 wrote to memory of 1680	1092	jgadfgadfgadfgadfg.exe	Okjzyqowxr.exe

C:\Users\Admin\AppData\Local\Temp\jgadfgadfgadfgadfg.exe
"C:\Users\Admin\AppData\Local\Temp\jgadfgadfgadfgadfg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe
"C:\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe
Filesize
95KB

MD5
b27c93e7880924b0a13504c214204d94

SHA1
aeca49edf0086ce10baccffb52caccf8fc883742

SHA256
822d4be0f23ff69985264de4d28efa8754684ffb7c5929cb73cb4f9f7858504f

SHA512
c6974d9cffa76d64a6f4612f0163878957a6ac25ee96010d0d663bb4df4e6d4691c2cf5758106273b2fc4aaf0ed32ba857d1fef784cf676835acab37d7efd9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe
Filesize
95KB

MD5
b27c93e7880924b0a13504c214204d94

SHA1
aeca49edf0086ce10baccffb52caccf8fc883742

SHA256
822d4be0f23ff69985264de4d28efa8754684ffb7c5929cb73cb4f9f7858504f

SHA512
c6974d9cffa76d64a6f4612f0163878957a6ac25ee96010d0d663bb4df4e6d4691c2cf5758106273b2fc4aaf0ed32ba857d1fef784cf676835acab37d7efd9db

Download Submit
\Users\Admin\AppData\Local\Temp\Okjzyqowxr.exe
Filesize
95KB

MD5
b27c93e7880924b0a13504c214204d94

SHA1
aeca49edf0086ce10baccffb52caccf8fc883742

SHA256
822d4be0f23ff69985264de4d28efa8754684ffb7c5929cb73cb4f9f7858504f

SHA512
c6974d9cffa76d64a6f4612f0163878957a6ac25ee96010d0d663bb4df4e6d4691c2cf5758106273b2fc4aaf0ed32ba857d1fef784cf676835acab37d7efd9db

Download Submit
memory/1092-54-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1092-55-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download
memory/1680-60-0x0000000000BA0000-0x0000000000BBE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads