redline | 77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e

Analysis

max time kernel
150s
max time network
98s
platform
windows10-1703_x64
resource
win10-20220722-en
resource tags

arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2022 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe
Size

212KB
MD5

07fff911d102363323de4d3420f5cd10
SHA1

6874c3da85e4fd010699230cb9781d513530c97e
SHA256

77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e
SHA512

03f67842f673a0f7116b5c80c785656e3cae0500b6f6441ae0dc113a41258582d7325372ba00e8dc0881af5be3ccfa8046814407cc3310286cc7eae6861ec99e

Score

10^/10

redline af2 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AF2

stcontact.top:80

Attributes

auth_value
4d729a2faecb406a0eb1d6fcf30432fa

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

5AE1.exe

pid process

3500 5AE1.exe
Deletes itself 1 IoCs

Processes:

pid process

3056
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3500	5AE1.exe

pid	process
3056

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe

pid	process
2148	77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe
2148	77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe

pid process

2148 77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe

pid	process
3056

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

5AE1.exe

description	pid	process
Token: SeDebugPrivilege	3500	5AE1.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3056 wrote to memory of 3500	3056	5AE1.exe
PID 3056 wrote to memory of 3500	3056	5AE1.exe
PID 3056 wrote to memory of 3500	3056	5AE1.exe

C:\Users\Admin\AppData\Local\Temp\77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe
"C:\Users\Admin\AppData\Local\Temp\77d8296d6c5bda26c89877da36b17ff40267ba5009af03e567c0688a1622b95e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2148

C:\Users\Admin\AppData\Local\Temp\5AE1.exe
C:\Users\Admin\AppData\Local\Temp\5AE1.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5AE1.exe
Filesize
315KB

MD5
18d91cd743eb66a2f3c4f9e1b406b1ef

SHA1
1a42ab71bac78df18bf398b54bcbe01c27408b50

SHA256
adf47ffe0ae687e2d9d6f0eab159d0bd6aa05fb11c7d1c4fde48c6c9aea40360

SHA512
1be6dc5965a89c6ac07897e358b9bf41cf58d664de6c3e7bf74aab88894063b1840838b6a3dd63c6f92b8fb96a4d6d5f699949a227a98f2db162c3a4581abd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AE1.exe
Filesize
315KB

MD5
18d91cd743eb66a2f3c4f9e1b406b1ef

SHA1
1a42ab71bac78df18bf398b54bcbe01c27408b50

SHA256
adf47ffe0ae687e2d9d6f0eab159d0bd6aa05fb11c7d1c4fde48c6c9aea40360

SHA512
1be6dc5965a89c6ac07897e358b9bf41cf58d664de6c3e7bf74aab88894063b1840838b6a3dd63c6f92b8fb96a4d6d5f699949a227a98f2db162c3a4581abd88

Download Submit
memory/2148-145-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-129-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-131-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-147-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-133-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-134-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-135-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-137-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-136-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-138-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-139-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-140-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-141-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-142-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-143-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-144-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-127-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-146-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-132-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-130-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-150-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-149-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-151-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-152-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-153-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-154-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-155-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-157-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-158-0x0000000002510000-0x0000000002519000-memory.dmp

Filesize
36KB

Download
memory/2148-159-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-160-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-156-0x00000000026C6000-0x00000000026D7000-memory.dmp

Filesize
68KB

Download
memory/2148-161-0x0000000000400000-0x00000000024BB000-memory.dmp

Filesize
32.7MB

Download
memory/2148-162-0x00000000026C6000-0x00000000026D7000-memory.dmp

Filesize
68KB

Download
memory/2148-163-0x0000000000400000-0x00000000024BB000-memory.dmp

Filesize
32.7MB

Download
memory/2148-148-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/2148-128-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-172-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-195-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-167-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-169-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-170-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-171-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-166-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-174-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-164-0x0000000000000000-mapping.dmp

Download
memory/3500-175-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-176-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-177-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-178-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-179-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-180-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-181-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-183-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-184-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-185-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-186-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-187-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-188-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-190-0x00000000024E0000-0x000000000258E000-memory.dmp

Filesize
696KB

Download
memory/3500-189-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-191-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-192-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-194-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-168-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-193-0x0000000002650000-0x0000000002688000-memory.dmp

Filesize
224KB

Download
memory/3500-196-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-197-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-198-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-199-0x0000000000400000-0x00000000024D5000-memory.dmp

Filesize
32.8MB

Download
memory/3500-200-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-201-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-202-0x0000000077830000-0x00000000779BE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-210-0x00000000044B0000-0x00000000044E0000-memory.dmp

Filesize
192KB

Download
memory/3500-215-0x0000000006C30000-0x000000000712E000-memory.dmp

Filesize
5.0MB

Download
memory/3500-217-0x0000000004610000-0x0000000004640000-memory.dmp

Filesize
192KB

Download
memory/3500-228-0x0000000007740000-0x0000000007D46000-memory.dmp

Filesize
6.0MB

Download
memory/3500-229-0x0000000007160000-0x0000000007172000-memory.dmp

Filesize
72KB

Download
memory/3500-230-0x0000000007190000-0x000000000729A000-memory.dmp

Filesize
1.0MB

Download
memory/3500-233-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/3500-241-0x0000000007330000-0x000000000737B000-memory.dmp

Filesize
300KB

Download
memory/3500-250-0x0000000002650000-0x0000000002688000-memory.dmp

Filesize
224KB

Download
memory/3500-266-0x00000000086C0000-0x0000000008726000-memory.dmp

Filesize
408KB

Download
memory/3500-268-0x00000000024E0000-0x000000000258E000-memory.dmp

Filesize
696KB

Download
memory/3500-275-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/3500-276-0x0000000008AE0000-0x0000000008B72000-memory.dmp

Filesize
584KB

Download
memory/3500-279-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

Filesize
120KB

Download
memory/3500-280-0x0000000000400000-0x00000000024D5000-memory.dmp

Filesize
32.8MB

Download
memory/3500-281-0x0000000008D60000-0x0000000008DB0000-memory.dmp

Filesize
320KB

Download
memory/3500-282-0x0000000008DD0000-0x0000000008F92000-memory.dmp

Filesize
1.8MB

Download
memory/3500-283-0x0000000008FA0000-0x00000000094CC000-memory.dmp

Filesize
5.2MB

Download
memory/3500-290-0x0000000000400000-0x00000000024D5000-memory.dmp

Filesize
32.8MB

Download