redline | 3080f7ed1cb9ec8fbf4c0cf992bd0eb9dba5f69d0342f58ebcc8943d28c77a97

General

Target

379a6a4f7be0d0e21a5e5b996ea8aeeb.exe
Size

1.2MB
MD5

379a6a4f7be0d0e21a5e5b996ea8aeeb
SHA1

27df283dcb89ee72f304df89d3938239acc32439
SHA256

3080f7ed1cb9ec8fbf4c0cf992bd0eb9dba5f69d0342f58ebcc8943d28c77a97
SHA512

e6705fc43877d4f46052f03dbd0a17cdc5afee7b2d6eec4f944556d005a613e9b356361ad3df9cb5164925f5429109d348a4c0b90018220047f8956d9b32f4b8

Score

10^/10

redline logsdiller cloud (sup: @mr_golds)infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

193.233.193.14:8163

Attributes

auth_value
56c6f7b9024c076f0a96931453da7e56

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/186120-56-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/186120-61-0x00000000000AAE1E-mapping.dmp	family_redline
behavioral1/memory/186120-63-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/186120-62-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

379a6a4f7be0d0e21a5e5b996ea8aeeb.exe

description pid process target process

PID 1656 set thread context of 186120 1656 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe

description	pid	process	target process
PID 1656 set thread context of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BF4F64E1-1633-11ED-A4E9-76B395A35041} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba5427000000000200000000001066000000010000200000006341e5ec45231470fc10b0dbd4f8df0e272ed925bb5d604ae74adc7a42afcc0e000000000e80000000020000200000007301f077dc234a70ade0d1c4ae2250b4f0c980eb583815e18fc08c95da418d90900000001061763162f9f04f56c2d5b57090f5d04e16575b7933acf8fd4c3981b3d9e79a9cd8d2850555b364c5783787a3500d51356765118bbb50e523b1f7a5cd595aeb09f3878b175efacd7bd8725aef6d4a18c641570f0fde9edcd9a543f08578db9b4a3c16201fe2e45e9a9d44e2c4b26bf00bc1d586bfadc4eea14561029529d6d1ad545b8c351cba51a00c50dcdee0aaf140000000558e4fe8452be7a6d46d757fd4315091673eb390f374f4ac92afa4d4843eefb344aa709b15b7bc2aee8875704a92949f3036aa5e1524cdc22e3372d27133d483	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366629681"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba5427000000000200000000001066000000010000200000006c7f792852725edeec379142b95a659585067b58dc6e9683d6a8b6014ba82d15000000000e800000000200002000000033c69d66d615614047fe8e6eca042efa579978a8bfb956940ffb83ee7aa8aa072000000063757e4bdd7fcde2b907317989095bf23b8360a57fc8de8e3bac9cb2633736e740000000a3d6cadd3984532ab10d132d4f1b5445fd990ac9665af6e80b05dca044c65e6d278527069ad0d73bcf57f1245e407538f127276b187069d0630f7ebf1e31e675	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e024868c40aad801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AppLaunch.exe

pid process

186120 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 186120 AppLaunch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

186144 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

186144 iexplore.exe
186144 iexplore.exe
816 IEXPLORE.EXE
816 IEXPLORE.EXE
816 IEXPLORE.EXE
816 IEXPLORE.EXE

pid	process
186120	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	186120	AppLaunch.exe

pid	process
186144	iexplore.exe

pid	process
186144	iexplore.exe
186144	iexplore.exe
816	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

379a6a4f7be0d0e21a5e5b996ea8aeeb.exeAppLaunch.exeiexplore.exe

description	pid	process	target process
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 1656 wrote to memory of 186120	1656	379a6a4f7be0d0e21a5e5b996ea8aeeb.exe	AppLaunch.exe
PID 186120 wrote to memory of 186144	186120	AppLaunch.exe	iexplore.exe
PID 186120 wrote to memory of 186144	186120	AppLaunch.exe	iexplore.exe
PID 186120 wrote to memory of 186144	186120	AppLaunch.exe	iexplore.exe
PID 186120 wrote to memory of 186144	186120	AppLaunch.exe	iexplore.exe
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE
PID 186144 wrote to memory of 816	186144	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\379a6a4f7be0d0e21a5e5b996ea8aeeb.exe
"C:\Users\Admin\AppData\Local\Temp\379a6a4f7be0d0e21a5e5b996ea8aeeb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:186120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:186144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:186144 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
1d34ba5b878bd7e4d3b7591514148330

SHA1
0a6debfb7644eef455c553d5ba9008dac8d81cd9

SHA256
d203e801ef8640e07c7f801933cc387e593f17502d522d62489ee9b4a7e631a4

SHA512
2ba16d271042eae2bac31ce1259007d31f9564ea0961a483754c751718279f7049a36e802b6171e227722c02cc1fac26d7564427b3847ded642118151dd05000

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IKV4TDFQ.txt
Filesize
605B

MD5
b6abc2d27f5f920f3e460c99262b1eac

SHA1
80ada88012a4756763367c3f1fb6ac82c68dd115

SHA256
8746ac418ac65cc629e777454095b55ffd1d0404f61044866490970b5d8085e2

SHA512
1f9e9f0db43865c6d8a8926224282d77672838914a6ebb208808c0ec0062671ca46a5f27652220c3ef87f1b5ff90ade55de5956df3b1a928d9c141a1566d6dd5

Download Submit
memory/186120-54-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/186120-56-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/186120-61-0x00000000000AAE1E-mapping.dmp

Download
memory/186120-63-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/186120-62-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/186120-64-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads