redline | d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7

Analysis

max time kernel
150s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe
Size

219KB
MD5

ebb14f7fffbf6439767b2904cc7d690c
SHA1

f0341c875fb56cb0d14ae15a075245109e118748
SHA256

d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7
SHA512

ec22ac86913f9410d9a545b78ba40ce7f87c4eece6256e7a2455b4e511354ac1f3ec16a1742ba5b61747a62d868a0f031f217081ac4429e4be73e08c02bddf73

Score

10^/10

redline af2 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AF2

stcontact.top:80

Attributes

auth_value
4d729a2faecb406a0eb1d6fcf30432fa

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

470.exe

pid process

3084 470.exe
Deletes itself 1 IoCs

Processes:

pid process

2188
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3084	470.exe

pid	process
2188

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe

pid	process
1788	d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe
1788	d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188
2188

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2188
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe

pid process

1788 d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe

pid	process
2188

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

470.exe

description	pid	process
Token: SeDebugPrivilege	3084	470.exe
Token: SeShutdownPrivilege	2188
Token: SeCreatePagefilePrivilege	2188
Token: SeShutdownPrivilege	2188
Token: SeCreatePagefilePrivilege	2188

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pid process

2188
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2188

pid	process
2188

pid	process
2188

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 2188 wrote to memory of 3084	2188	470.exe
PID 2188 wrote to memory of 3084	2188	470.exe
PID 2188 wrote to memory of 3084	2188	470.exe

C:\Users\Admin\AppData\Local\Temp\d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe
"C:\Users\Admin\AppData\Local\Temp\d98317bf7545140cb164c43d9c922742c11f2145c6502406373e81105bf518f7.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1788

C:\Users\Admin\AppData\Local\Temp\470.exe
C:\Users\Admin\AppData\Local\Temp\470.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\470.exe
Filesize
323KB

MD5
a5b5bd6c6f00cf7cbda7b2114e73d528

SHA1
5034c5a4d5d5b279bc553209ca2e912ddb185961

SHA256
1ab420e2175e79ded0020adce53322ce1ba29698298271120bd675d5c4dc24e1

SHA512
e3b1bd015468400f297bd81f4ed0a527a42354da7050a31c44c3445d6f1d47d09085d5be5f4339730556af23c61872b49aa0ebaf124044c9ef7eb5a7c36c6918

Download Submit
C:\Users\Admin\AppData\Local\Temp\470.exe
Filesize
323KB

MD5
a5b5bd6c6f00cf7cbda7b2114e73d528

SHA1
5034c5a4d5d5b279bc553209ca2e912ddb185961

SHA256
1ab420e2175e79ded0020adce53322ce1ba29698298271120bd675d5c4dc24e1

SHA512
e3b1bd015468400f297bd81f4ed0a527a42354da7050a31c44c3445d6f1d47d09085d5be5f4339730556af23c61872b49aa0ebaf124044c9ef7eb5a7c36c6918

Download Submit
memory/1788-117-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-118-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-119-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-120-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-121-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-122-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-123-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-124-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-125-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-126-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-127-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-128-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-129-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-130-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-131-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-132-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-133-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-134-0x0000000002786000-0x0000000002796000-memory.dmp

Filesize
64KB

Download
memory/1788-135-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-136-0x00000000025A0000-0x00000000025A9000-memory.dmp

Filesize
36KB

Download
memory/1788-137-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-138-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-139-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-140-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-141-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-142-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-143-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-144-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-145-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-146-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-147-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-148-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-149-0x0000000000400000-0x00000000024BD000-memory.dmp

Filesize
32.7MB

Download
memory/1788-151-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-150-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-152-0x0000000002786000-0x0000000002796000-memory.dmp

Filesize
64KB

Download
memory/1788-153-0x0000000000400000-0x00000000024BD000-memory.dmp

Filesize
32.7MB

Download
memory/3084-154-0x0000000000000000-mapping.dmp

Download
memory/3084-156-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-157-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-158-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-159-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-160-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-161-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-162-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-164-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-165-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-166-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-167-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-168-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-169-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-170-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-171-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-172-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-173-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-175-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-174-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-176-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-177-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-178-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-179-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-180-0x0000000002826000-0x0000000002851000-memory.dmp

Filesize
172KB

Download
memory/3084-181-0x00000000024E0000-0x000000000262A000-memory.dmp

Filesize
1.3MB

Download
memory/3084-182-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-183-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-184-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-185-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-186-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-187-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-188-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-189-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-190-0x0000000077110000-0x000000007729E000-memory.dmp

Filesize
1.6MB

Download
memory/3084-192-0x0000000000400000-0x00000000024D7000-memory.dmp

Filesize
32.8MB

Download
memory/3084-199-0x0000000004240000-0x0000000004270000-memory.dmp

Filesize
192KB

Download
memory/3084-204-0x0000000006D50000-0x000000000724E000-memory.dmp

Filesize
5.0MB

Download
memory/3084-206-0x0000000004310000-0x0000000004340000-memory.dmp

Filesize
192KB

Download
memory/3084-217-0x0000000007250000-0x0000000007856000-memory.dmp

Filesize
6.0MB

Download
memory/3084-218-0x0000000006C50000-0x0000000006C62000-memory.dmp

Filesize
72KB

Download
memory/3084-219-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/3084-222-0x0000000006CC0000-0x0000000006CFE000-memory.dmp

Filesize
248KB

Download
memory/3084-230-0x0000000007A70000-0x0000000007ABB000-memory.dmp

Filesize
300KB

Download
memory/3084-254-0x0000000008690000-0x00000000086F6000-memory.dmp

Filesize
408KB

Download
memory/3084-262-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/3084-263-0x0000000008AE0000-0x0000000008B72000-memory.dmp

Filesize
584KB

Download
memory/3084-266-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

Filesize
120KB

Download
memory/3084-267-0x0000000002826000-0x0000000002851000-memory.dmp

Filesize
172KB

Download
memory/3084-268-0x00000000024E0000-0x000000000262A000-memory.dmp

Filesize
1.3MB

Download
memory/3084-269-0x00000000090D0000-0x0000000009292000-memory.dmp

Filesize
1.8MB

Download
memory/3084-270-0x00000000092A0000-0x00000000097CC000-memory.dmp

Filesize
5.2MB

Download
memory/3084-273-0x00000000098A0000-0x00000000098F0000-memory.dmp

Filesize
320KB

Download
memory/3084-278-0x0000000002826000-0x0000000002851000-memory.dmp

Filesize
172KB

Download
memory/3084-279-0x0000000000400000-0x00000000024D7000-memory.dmp

Filesize
32.8MB

Download