redline | 5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-09-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.2MB
MD5

106adc0183d444263d6675db1a2e9540
SHA1

d4479ce12196290bea418795e36628a136021949
SHA256

5cf09ada20a1467a9f031f8253ca916e3a61d1a399ad64153e63d6ed140f7ee3
SHA512

921aa6487e6bb524fab9dad94b59c65f2a567965d845490fd5ada5c27be3e23889d22700591ca581cf639c6662b33d61d3e42b2fe87a52482050edd5a91110fb
SSDEEP

49152:F70aLyun15F4UfHlSQWeBGnWSglFJp+uRp4LgCBAvQlAXHzziRy2oqIR7R4j:FAaLyun15FHnJsWJ0oH4lAgSJR2

Score

10^/10

redline 5 discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

116.203.187.3:14916

Attributes

auth_value
febe6965b41d2583ad2bb6b5aa23cfd5

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/648-71-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/648-70-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/648-72-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/648-73-0x000000000041ADBA-mapping.dmp	family_redline
behavioral1/memory/648-77-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/648-75-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

mnr.exemnr.exe

pid process

812 mnr.exe
1956 mnr.exe
Loads dropped DLL 2 IoCs

Processes:

file.exetaskeng.exe

pid process

648 file.exe
1192 taskeng.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
812	mnr.exe
1956	mnr.exe

pid	process
648	file.exe
1192	taskeng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tehtosfc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gsvigc\\Tehtosfc.exe\""	file.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 1200 set thread context of 648 1200 file.exe file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exefile.exepowershell.exefile.exepowershell.exe

pid process

2036 powershell.exe
1200 file.exe
1192 powershell.exe
648 file.exe
1684 powershell.exe

description	pid	process	target process
PID 1200 set thread context of 648	1200	file.exe	file.exe

pid	process
2036	powershell.exe
1200	file.exe
1192	powershell.exe
648	file.exe
1684	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exefile.exepowershell.exefile.exemnr.exepowershell.exemnr.exe

description	pid	process
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1200	file.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	648	file.exe
Token: SeDebugPrivilege	812	mnr.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1956	mnr.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

file.exefile.exemnr.exetaskeng.exe

description	pid	process	target process
PID 1200 wrote to memory of 2036	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 2036	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 2036	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 2036	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 1192	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 1192	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 1192	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 1192	1200	file.exe	powershell.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 1200 wrote to memory of 648	1200	file.exe	file.exe
PID 648 wrote to memory of 812	648	file.exe	mnr.exe
PID 648 wrote to memory of 812	648	file.exe	mnr.exe
PID 648 wrote to memory of 812	648	file.exe	mnr.exe
PID 648 wrote to memory of 812	648	file.exe	mnr.exe
PID 812 wrote to memory of 1684	812	mnr.exe	powershell.exe
PID 812 wrote to memory of 1684	812	mnr.exe	powershell.exe
PID 812 wrote to memory of 1684	812	mnr.exe	powershell.exe
PID 1192 wrote to memory of 1956	1192	taskeng.exe	mnr.exe
PID 1192 wrote to memory of 1956	1192	taskeng.exe	mnr.exe
PID 1192 wrote to memory of 1956	1192	taskeng.exe	mnr.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 30
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\file.exe
C:\Users\Admin\AppData\Local\Temp\file.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\mnr.exe
"C:\Users\Admin\AppData\Local\Temp\mnr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\taskeng.exe
taskeng.exe {F018FF18-7F1A-47D2-91CB-C5B156FA9E97} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Roaming\mnr.exe
C:\Users\Admin\AppData\Roaming\mnr.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3a4cfa10fb9d8be5574e09592688923a

SHA1
4f161b3ebd1eab3a347af5be3545ca8b7be9bc6b

SHA256
0532b7dad3312f78acf5eb48664946f9e1792c4a11151a28dc71c3ba592a07e1

SHA512
2b85cc3ae97696a58330416863c69fdd09a219caee6e325f4547ba65ffb17637924f6699339a9fc019ff5c90c8bf3a6a230b0f77d70bbc477bdded2216a3960d

Download Submit
C:\Users\Admin\AppData\Roaming\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
C:\Users\Admin\AppData\Roaming\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
\Users\Admin\AppData\Local\Temp\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
\Users\Admin\AppData\Roaming\mnr.exe
Filesize
1.1MB

MD5
83f5b59561ffd68339e06f5e007537bf

SHA1
235df5c30aeba5f1f2fa93ea93a18f31f863460d

SHA256
dec3e568197c83617b06aa3b099d4cc7fc05b0881af4b0585e626b8eb5be572a

SHA512
cb2d670e1c6f9e4563b6be93ca053cfcb5a56c1fff3d9a8f0f2358822f10d4291afde09f8e0c9aba99fe09e45c5617bbed72ae0f88066a9468cb9828c26f0ba7

Download Submit
memory/648-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-73-0x000000000041ADBA-mapping.dmp

Download
memory/648-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-91-0x00000000067C0000-0x00000000068D8000-memory.dmp

Filesize
1.1MB

Download
memory/812-92-0x000007FEFCFD0000-0x000007FEFD03C000-memory.dmp

Filesize
432KB

Download
memory/812-102-0x000000013FEE0000-0x000000013FFF8000-memory.dmp

Filesize
1.1MB

Download
memory/812-87-0x000007FEFD4A0000-0x000007FEFD507000-memory.dmp

Filesize
412KB

Download
memory/812-88-0x0000000076CB0000-0x0000000076DAA000-memory.dmp

Filesize
1000KB

Download
memory/812-86-0x000007FEF6530000-0x000007FEF65CC000-memory.dmp

Filesize
624KB

Download
memory/812-89-0x000007FEFEEC0000-0x000007FEFEF5F000-memory.dmp

Filesize
636KB

Download
memory/812-85-0x000007FEFAC10000-0x000007FEFAC7F000-memory.dmp

Filesize
444KB

Download
memory/812-121-0x0000000002656000-0x0000000002675000-memory.dmp

Filesize
124KB

Download
memory/812-90-0x0000000076DB0000-0x0000000076ECF000-memory.dmp

Filesize
1.1MB

Download
memory/812-93-0x000000013FEE0000-0x000000013FFF8000-memory.dmp

Filesize
1.1MB

Download
memory/812-118-0x000007FEFCB80000-0x000007FEFCC11000-memory.dmp

Filesize
580KB

Download
memory/812-94-0x0000000000500000-0x0000000000542000-memory.dmp

Filesize
264KB

Download
memory/812-95-0x000007FEFD840000-0x000007FEFD8B1000-memory.dmp

Filesize
452KB

Download
memory/812-96-0x000007FEF6430000-0x000007FEF6527000-memory.dmp

Filesize
988KB

Download
memory/812-97-0x000007FEFEC90000-0x000007FEFED6B000-memory.dmp

Filesize
876KB

Download
memory/812-98-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/812-99-0x000007FEFD510000-0x000007FEFD63D000-memory.dmp

Filesize
1.2MB

Download
memory/812-100-0x000007FEFD230000-0x000007FEFD433000-memory.dmp

Filesize
2.0MB

Download
memory/812-101-0x000007FEFB540000-0x000007FEFB596000-memory.dmp

Filesize
344KB

Download
memory/812-80-0x0000000000000000-mapping.dmp

Download
memory/812-103-0x000007FEF6250000-0x000007FEF637C000-memory.dmp

Filesize
1.2MB

Download
memory/812-104-0x0000000002150000-0x00000000021F6000-memory.dmp

Filesize
664KB

Download
memory/812-105-0x0000000002440000-0x000000000248E000-memory.dmp

Filesize
312KB

Download
memory/812-106-0x000007FEFC660000-0x000007FEFC682000-memory.dmp

Filesize
136KB

Download
memory/812-107-0x000007FEFC510000-0x000007FEFC527000-memory.dmp

Filesize
92KB

Download
memory/812-108-0x000007FEFD640000-0x000007FEFD65F000-memory.dmp

Filesize
124KB

Download
memory/812-109-0x000007FEFD150000-0x000007FEFD227000-memory.dmp

Filesize
860KB

Download
memory/812-110-0x000000001AF50000-0x000000001AF9C000-memory.dmp

Filesize
304KB

Download
memory/812-111-0x000000013FEE0000-0x000000013FFF8000-memory.dmp

Filesize
1.1MB

Download
memory/812-112-0x0000000000500000-0x0000000000542000-memory.dmp

Filesize
264KB

Download
memory/812-117-0x000000001C2C0000-0x000000001C314000-memory.dmp

Filesize
336KB

Download
memory/812-122-0x000000013FEE0000-0x000000013FFF8000-memory.dmp

Filesize
1.1MB

Download
memory/1192-64-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/1192-61-0x0000000000000000-mapping.dmp

Download
memory/1192-65-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/1192-140-0x000000013F460000-0x000000013F578000-memory.dmp

Filesize
1.1MB

Download
memory/1192-66-0x000000006F450000-0x000000006F9FB000-memory.dmp

Filesize
5.7MB

Download
memory/1200-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1200-60-0x0000000005740000-0x0000000005964000-memory.dmp

Filesize
2.1MB

Download
memory/1200-54-0x0000000000930000-0x0000000000B66000-memory.dmp

Filesize
2.2MB

Download
memory/1684-120-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1684-116-0x000007FEEC1C0000-0x000007FEECD1D000-memory.dmp

Filesize
11.4MB

Download
memory/1684-119-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1684-115-0x000007FEECD20000-0x000007FEED743000-memory.dmp

Filesize
10.1MB

Download
memory/1684-114-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1684-149-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1684-113-0x0000000000000000-mapping.dmp

Download
memory/1684-150-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1684-143-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1956-144-0x000007FEFD510000-0x000007FEFD63D000-memory.dmp

Filesize
1.2MB

Download
memory/1956-132-0x0000000076CB0000-0x0000000076DAA000-memory.dmp

Filesize
1000KB

Download
memory/1956-141-0x000000013F460000-0x000000013F578000-memory.dmp

Filesize
1.1MB

Download
memory/1956-145-0x000007FEFD230000-0x000007FEFD433000-memory.dmp

Filesize
2.0MB

Download
memory/1956-148-0x000007FEF6150000-0x000007FEF627C000-memory.dmp

Filesize
1.2MB

Download
memory/1956-147-0x000000013F460000-0x000000013F578000-memory.dmp

Filesize
1.1MB

Download
memory/1956-146-0x000007FEFB540000-0x000007FEFB596000-memory.dmp

Filesize
344KB

Download
memory/1956-137-0x000007FEF6280000-0x000007FEF6377000-memory.dmp

Filesize
988KB

Download
memory/1956-142-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/1956-138-0x000007FEFEC90000-0x000007FEFED6B000-memory.dmp

Filesize
876KB

Download
memory/1956-135-0x000007FEFCFD0000-0x000007FEFD03C000-memory.dmp

Filesize
432KB

Download
memory/1956-134-0x0000000076DB0000-0x0000000076ECF000-memory.dmp

Filesize
1.1MB

Download
memory/1956-133-0x000007FEFEEC0000-0x000007FEFEF5F000-memory.dmp

Filesize
636KB

Download
memory/1956-139-0x000007FEF4C40000-0x000007FEF562C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-136-0x000007FEFD840000-0x000007FEFD8B1000-memory.dmp

Filesize
452KB

Download
memory/1956-130-0x000007FEF6530000-0x000007FEF65CC000-memory.dmp

Filesize
624KB

Download
memory/1956-129-0x000007FEFAC10000-0x000007FEFAC7F000-memory.dmp

Filesize
444KB

Download
memory/1956-131-0x000007FEFD4A0000-0x000007FEFD507000-memory.dmp

Filesize
412KB

Download
memory/1956-124-0x0000000000000000-mapping.dmp

Download
memory/1956-153-0x000007FEFD640000-0x000007FEFD65F000-memory.dmp

Filesize
124KB

Download
memory/1956-152-0x000007FEFC510000-0x000007FEFC527000-memory.dmp

Filesize
92KB

Download
memory/1956-151-0x000007FEFC660000-0x000007FEFC682000-memory.dmp

Filesize
136KB

Download
memory/1956-154-0x000007FEFD150000-0x000007FEFD227000-memory.dmp

Filesize
860KB

Download
memory/1956-155-0x0000000000120000-0x0000000000162000-memory.dmp

Filesize
264KB

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download
memory/2036-58-0x0000000071170000-0x000000007171B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-59-0x0000000071170000-0x000000007171B000-memory.dmp

Filesize
5.7MB

Download