redline | 097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3

Analysis

max time kernel
150s
max time network
97s
platform
windows10-1703_x64
resource
win10-20220722-en
resource tags

arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2022 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe
Size

217KB
MD5

866712ff3ee1a86a3d7e31f47a05bc1a
SHA1

96db9c850937da4bf477292f45ad13a9badd1beb
SHA256

097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3
SHA512

04ab6240596242101a1f2d628fcaddc8369a1d0496b1f817f9cecd7b22a9c8048cc4312337f94133b4fda97e5c1b61a8887a010b0e8e7e107597780d571c19cd

Score

10^/10

redline af2 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AF2

stcontact.top:80

Attributes

auth_value
4d729a2faecb406a0eb1d6fcf30432fa

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

61C7.exe

pid process

4880 61C7.exe
Deletes itself 1 IoCs

Processes:

pid process

2908
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4880	61C7.exe

pid	process
2908

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe

pid	process
2764	097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe
2764	097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908
2908

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2908
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe

pid process

2764 097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe

pid	process
2908

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

61C7.exe

description	pid	process
Token: SeDebugPrivilege	4880	61C7.exe
Token: SeShutdownPrivilege	2908
Token: SeCreatePagefilePrivilege	2908
Token: SeShutdownPrivilege	2908
Token: SeCreatePagefilePrivilege	2908

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 2908 wrote to memory of 4880	2908	61C7.exe
PID 2908 wrote to memory of 4880	2908	61C7.exe
PID 2908 wrote to memory of 4880	2908	61C7.exe

C:\Users\Admin\AppData\Local\Temp\097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe
"C:\Users\Admin\AppData\Local\Temp\097d0f102d1c4ca490caf9ecf7c2fd106959a3b97d0f856706f5452af5bee2a3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Users\Admin\AppData\Local\Temp\61C7.exe
C:\Users\Admin\AppData\Local\Temp\61C7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61C7.exe
Filesize
322KB

MD5
5adf033f3e58cf0b93486eb035c91081

SHA1
92f3d22dac6bec17d57d4223e6c8b97de9a6a851

SHA256
5f8b68f141b1c66e809fed0b994a7b27392e1202e7d81631c7a08c5e2acf5e3e

SHA512
21cb9fa7a641942d10961fc2bc99189808b86aea02fc5ad783402a24ddf313b7cf0810570c5698d4e7f4d261a3e6e86cf12d50e351b29ce48446e74e8e08c7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\61C7.exe
Filesize
322KB

MD5
5adf033f3e58cf0b93486eb035c91081

SHA1
92f3d22dac6bec17d57d4223e6c8b97de9a6a851

SHA256
5f8b68f141b1c66e809fed0b994a7b27392e1202e7d81631c7a08c5e2acf5e3e

SHA512
21cb9fa7a641942d10961fc2bc99189808b86aea02fc5ad783402a24ddf313b7cf0810570c5698d4e7f4d261a3e6e86cf12d50e351b29ce48446e74e8e08c7c4

Download Submit
memory/2764-127-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-128-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-129-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-130-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-131-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-132-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-133-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-134-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-135-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-136-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-137-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-138-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-139-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-140-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-141-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-143-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-144-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-146-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-145-0x0000000002510000-0x000000000265A000-memory.dmp

Filesize
1.3MB

Download
memory/2764-147-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-148-0x00000000041D0000-0x00000000041D9000-memory.dmp

Filesize
36KB

Download
memory/2764-150-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-149-0x0000000000400000-0x00000000024BC000-memory.dmp

Filesize
32.7MB

Download
memory/2764-151-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-152-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-153-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-154-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-155-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-156-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-157-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-158-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-160-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-161-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-162-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-159-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/2764-163-0x0000000000400000-0x00000000024BC000-memory.dmp

Filesize
32.7MB

Download
memory/4880-164-0x0000000000000000-mapping.dmp

Download
memory/4880-166-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-167-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-168-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-169-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-170-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-171-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-172-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-174-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-175-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-176-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-178-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-177-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-179-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-180-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-181-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-182-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-183-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-185-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-184-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-187-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-188-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-186-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-189-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-190-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-191-0x0000000002876000-0x00000000028A1000-memory.dmp

Filesize
172KB

Download
memory/4880-192-0x00000000024E0000-0x000000000262A000-memory.dmp

Filesize
1.3MB

Download
memory/4880-193-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-194-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-195-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-196-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-197-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-198-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-199-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-200-0x0000000077630000-0x00000000777BE000-memory.dmp

Filesize
1.6MB

Download
memory/4880-203-0x0000000000400000-0x00000000024D6000-memory.dmp

Filesize
32.8MB

Download
memory/4880-209-0x0000000004250000-0x0000000004280000-memory.dmp

Filesize
192KB

Download
memory/4880-214-0x0000000006E90000-0x000000000738E000-memory.dmp

Filesize
5.0MB

Download
memory/4880-216-0x0000000004400000-0x0000000004430000-memory.dmp

Filesize
192KB

Download
memory/4880-227-0x0000000007390000-0x0000000007996000-memory.dmp

Filesize
6.0MB

Download
memory/4880-228-0x0000000004500000-0x0000000004512000-memory.dmp

Filesize
72KB

Download
memory/4880-229-0x0000000006D40000-0x0000000006E4A000-memory.dmp

Filesize
1.0MB

Download
memory/4880-232-0x0000000004880000-0x00000000048BE000-memory.dmp

Filesize
248KB

Download
memory/4880-240-0x0000000007AA0000-0x0000000007AEB000-memory.dmp

Filesize
300KB

Download
memory/4880-251-0x0000000002876000-0x00000000028A1000-memory.dmp

Filesize
172KB

Download
memory/4880-265-0x0000000008690000-0x0000000008706000-memory.dmp

Filesize
472KB

Download
memory/4880-266-0x00000000024E0000-0x000000000262A000-memory.dmp

Filesize
1.3MB

Download
memory/4880-267-0x0000000008750000-0x00000000087E2000-memory.dmp

Filesize
584KB

Download
memory/4880-270-0x0000000008950000-0x000000000896E000-memory.dmp

Filesize
120KB

Download
memory/4880-271-0x00000000089F0000-0x0000000008A56000-memory.dmp

Filesize
408KB

Download
memory/4880-279-0x0000000008D10000-0x0000000008D60000-memory.dmp

Filesize
320KB

Download
memory/4880-280-0x0000000009010000-0x00000000091D2000-memory.dmp

Filesize
1.8MB

Download
memory/4880-281-0x00000000091F0000-0x000000000971C000-memory.dmp

Filesize
5.2MB

Download
memory/4880-288-0x0000000000400000-0x00000000024D6000-memory.dmp

Filesize
32.8MB

Download
memory/4880-289-0x0000000002876000-0x00000000028A1000-memory.dmp

Filesize
172KB

Download