redline | 1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8

Analysis

max time kernel
150s
max time network
102s
platform
windows10_x64
resource
win10-20220414-en
resource tags

arch:x64arch:x86image:win10-20220414-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2022 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe
Size

219KB
MD5

f57b14891f50f0c86096822a78f22b7d
SHA1

5b64a887f40b11d6c95dd68828832df1f8fd2008
SHA256

1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8
SHA512

a157cf4f3d3334e31306d98bdd5f0ba9a52cc1efa91c94ba472d0ac51411236f157f4551e59bde200aafe912ff492c58df4e268c119ce044f82c276d8bf62411

Score

10^/10

redline af2 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AF2

stcontact.top:80

Attributes

auth_value
4d729a2faecb406a0eb1d6fcf30432fa

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4D2.exe

pid process

2256 4D2.exe
Deletes itself 1 IoCs

Processes:

pid process

3016
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2256	4D2.exe

pid	process
3016

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe

pid	process
3924	1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe
3924	1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe

pid process

3924 1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe

pid	process
3016

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

4D2.exe

description	pid	process
Token: SeDebugPrivilege	2256	4D2.exe
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3016 wrote to memory of 2256	3016	4D2.exe
PID 3016 wrote to memory of 2256	3016	4D2.exe
PID 3016 wrote to memory of 2256	3016	4D2.exe

C:\Users\Admin\AppData\Local\Temp\1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe
"C:\Users\Admin\AppData\Local\Temp\1b38a93f515ec88de7550d305d407d2c1faa9756ad0559f76a71232e4452c4d8.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3924

C:\Users\Admin\AppData\Local\Temp\4D2.exe
C:\Users\Admin\AppData\Local\Temp\4D2.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D2.exe
Filesize
323KB

MD5
6132dce93fecbbd54ddb3491f0553377

SHA1
f90d2ae680de19775c9368a5b075f5c8d5d72c81

SHA256
09fb1d64b4b480fb48cfecb85a0f53bf8b1ec3b43d9e49939d8675c4d921cb08

SHA512
1f628f33cdc6713cdd6fd7732e61d75db924c8443587c45cd00f2695dddf67e8b87104c3609d47143bf8e126417b83a90d81bef2a7e2b9e6fe41b172eb2f024d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D2.exe
Filesize
323KB

MD5
6132dce93fecbbd54ddb3491f0553377

SHA1
f90d2ae680de19775c9368a5b075f5c8d5d72c81

SHA256
09fb1d64b4b480fb48cfecb85a0f53bf8b1ec3b43d9e49939d8675c4d921cb08

SHA512
1f628f33cdc6713cdd6fd7732e61d75db924c8443587c45cd00f2695dddf67e8b87104c3609d47143bf8e126417b83a90d81bef2a7e2b9e6fe41b172eb2f024d

Download Submit
memory/2256-188-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-187-0x0000000000400000-0x00000000024D7000-memory.dmp

Filesize
32.8MB

Download
memory/2256-281-0x0000000000400000-0x00000000024D7000-memory.dmp

Filesize
32.8MB

Download
memory/2256-280-0x00000000027F6000-0x0000000002821000-memory.dmp

Filesize
172KB

Download
memory/2256-275-0x0000000009650000-0x00000000096A0000-memory.dmp

Filesize
320KB

Download
memory/2256-274-0x0000000000400000-0x00000000024D7000-memory.dmp

Filesize
32.8MB

Download
memory/2256-273-0x0000000002610000-0x000000000275A000-memory.dmp

Filesize
1.3MB

Download
memory/2256-272-0x00000000027F6000-0x0000000002821000-memory.dmp

Filesize
172KB

Download
memory/2256-269-0x0000000009060000-0x000000000958C000-memory.dmp

Filesize
5.2MB

Download
memory/2256-268-0x0000000008C90000-0x0000000008E52000-memory.dmp

Filesize
1.8MB

Download
memory/2256-267-0x0000000008A20000-0x0000000008A3E000-memory.dmp

Filesize
120KB

Download
memory/2256-264-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/2256-263-0x00000000088B0000-0x0000000008926000-memory.dmp

Filesize
472KB

Download
memory/2256-255-0x0000000008550000-0x00000000085B6000-memory.dmp

Filesize
408KB

Download
memory/2256-231-0x0000000007800000-0x000000000784B000-memory.dmp

Filesize
300KB

Download
memory/2256-167-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-223-0x00000000077C0000-0x00000000077FE000-memory.dmp

Filesize
248KB

Download
memory/2256-220-0x00000000076B0000-0x00000000077BA000-memory.dmp

Filesize
1.0MB

Download
memory/2256-219-0x0000000006B10000-0x0000000006B22000-memory.dmp

Filesize
72KB

Download
memory/2256-218-0x00000000070A0000-0x00000000076A6000-memory.dmp

Filesize
6.0MB

Download
memory/2256-207-0x0000000004540000-0x0000000004570000-memory.dmp

Filesize
192KB

Download
memory/2256-205-0x0000000006BA0000-0x000000000709E000-memory.dmp

Filesize
5.0MB

Download
memory/2256-200-0x0000000004350000-0x0000000004380000-memory.dmp

Filesize
192KB

Download
memory/2256-192-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-191-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-190-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-189-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-176-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-186-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-182-0x00000000027F6000-0x0000000002821000-memory.dmp

Filesize
172KB

Download
memory/2256-184-0x0000000002610000-0x000000000275A000-memory.dmp

Filesize
1.3MB

Download
memory/2256-166-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-185-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-183-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-180-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-155-0x0000000000000000-mapping.dmp

Download
memory/2256-157-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-158-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-159-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-160-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-161-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-162-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-163-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-165-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-181-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-178-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-179-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-168-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-169-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-170-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-171-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-172-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-173-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-174-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-175-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/2256-177-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-144-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-136-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-138-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-152-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-120-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-154-0x0000000000400000-0x00000000024BD000-memory.dmp

Filesize
32.7MB

Download
memory/3924-153-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-151-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-150-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-149-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-148-0x0000000000400000-0x00000000024BD000-memory.dmp

Filesize
32.7MB

Download
memory/3924-118-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-147-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-146-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-145-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-121-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-143-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-119-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-142-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-141-0x00000000025B0000-0x00000000026FA000-memory.dmp

Filesize
1.3MB

Download
memory/3924-140-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-139-0x00000000025B0000-0x00000000026FA000-memory.dmp

Filesize
1.3MB

Download
memory/3924-137-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-135-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-134-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-132-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-131-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-130-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-129-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-128-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-127-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-126-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-125-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-124-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-123-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-122-0x00000000774E0000-0x000000007766E000-memory.dmp

Filesize
1.6MB

Download