redline | c7dd8d7224c0031bab4f6835b0404600295f1ce078a0936cba0e18a5624c1458

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-09-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dde444c389f2d4ae93c4107a812d406.exe
Size

7.3MB
MD5

4dde444c389f2d4ae93c4107a812d406
SHA1

8150efe56ae179bc051ba4b23ab2c674643d168e
SHA256

c7dd8d7224c0031bab4f6835b0404600295f1ce078a0936cba0e18a5624c1458
SHA512

1591667c9dd665a640a6a51027132267cc44e56c6331f2af857ab3659d8d740b7abe10c0ba665de2953d66bc69efe954820bc002498d2d1a39583298590837d0
SSDEEP

196608:RlXzkbjKRvPZcSShAWjF/g81pJgyJX1bAZr:nsjKRHZYhxo8dJlbc

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
860	Google Chrome.exe
1372	svchost.exe
1324	SLAYER Leecher v0.7.exe

Loads dropped DLL 3 IoCs

pid	Process
1668	4dde444c389f2d4ae93c4107a812d406.exe
1668	4dde444c389f2d4ae93c4107a812d406.exe
1668	4dde444c389f2d4ae93c4107a812d406.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
972	1324	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
860	Google Chrome.exe
860	Google Chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	Google Chrome.exe
Token: SeDebugPrivilege	1372	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 860	1668	4dde444c389f2d4ae93c4107a812d406.exe	27
PID 1668 wrote to memory of 860	1668	4dde444c389f2d4ae93c4107a812d406.exe	27
PID 1668 wrote to memory of 860	1668	4dde444c389f2d4ae93c4107a812d406.exe	27
PID 1668 wrote to memory of 860	1668	4dde444c389f2d4ae93c4107a812d406.exe	27
PID 1668 wrote to memory of 1372	1668	4dde444c389f2d4ae93c4107a812d406.exe	28
PID 1668 wrote to memory of 1372	1668	4dde444c389f2d4ae93c4107a812d406.exe	28
PID 1668 wrote to memory of 1372	1668	4dde444c389f2d4ae93c4107a812d406.exe	28
PID 1668 wrote to memory of 1372	1668	4dde444c389f2d4ae93c4107a812d406.exe	28
PID 1668 wrote to memory of 1324	1668	4dde444c389f2d4ae93c4107a812d406.exe	30
PID 1668 wrote to memory of 1324	1668	4dde444c389f2d4ae93c4107a812d406.exe	30
PID 1668 wrote to memory of 1324	1668	4dde444c389f2d4ae93c4107a812d406.exe	30
PID 1668 wrote to memory of 1324	1668	4dde444c389f2d4ae93c4107a812d406.exe	30
PID 1324 wrote to memory of 972	1324	SLAYER Leecher v0.7.exe	31
PID 1324 wrote to memory of 972	1324	SLAYER Leecher v0.7.exe	31
PID 1324 wrote to memory of 972	1324	SLAYER Leecher v0.7.exe	31

C:\Users\Admin\AppData\Local\Temp\4dde444c389f2d4ae93c4107a812d406.exe
"C:\Users\Admin\AppData\Local\Temp\4dde444c389f2d4ae93c4107a812d406.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\Google Chrome.exe
  "C:\Users\Admin\AppData\Roaming\Google Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7.exe
  "C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1324 -s 608
    3⤵
    - Program crash
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7.exe

Filesize
6.6MB

MD5
aa0b6211f5245f25392b74fdbab048eb

SHA1
05c37446aca08847a2688257d0fb138f560b4db2

SHA256
74cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674

SHA512
97e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7.exe

Filesize
6.6MB

MD5
aa0b6211f5245f25392b74fdbab048eb

SHA1
05c37446aca08847a2688257d0fb138f560b4db2

SHA256
74cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674

SHA512
97e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe

Filesize
401KB

MD5
a1c7ef8040d424d0be7e7baf9cd9eac9

SHA1
e4c3fb057e9a65fc19c91b0dc253bd12da9dd8a4

SHA256
ff878da17f7e6ed17b55143f774390c1d851a5b9a745c6aa5155c1eb825283d4

SHA512
7a85635aa8a9210dd6ef1ff74724a5337f63dbe3c0df2d06460dbd3b63d59e2fde8e5f9a24c2575f58bf7d1a15fecd12e7ba98a83c948fd6983232e3193cbdbd

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe

Filesize
401KB

MD5
a1c7ef8040d424d0be7e7baf9cd9eac9

SHA1
e4c3fb057e9a65fc19c91b0dc253bd12da9dd8a4

SHA256
ff878da17f7e6ed17b55143f774390c1d851a5b9a745c6aa5155c1eb825283d4

SHA512
7a85635aa8a9210dd6ef1ff74724a5337f63dbe3c0df2d06460dbd3b63d59e2fde8e5f9a24c2575f58bf7d1a15fecd12e7ba98a83c948fd6983232e3193cbdbd

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
275KB

MD5
32a56b4e67436bdd3d39809a9be949b8

SHA1
dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc

SHA256
5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df

SHA512
70b8dc7b1509cfa3975c97baa4a2b49746fac2438307ab97ae67bdd0e98d2d26e05f2e83c0349234b4deb9314715aea01084fd11e7f77b2d4bba856aa7726e47

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
275KB

MD5
32a56b4e67436bdd3d39809a9be949b8

SHA1
dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc

SHA256
5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df

SHA512
70b8dc7b1509cfa3975c97baa4a2b49746fac2438307ab97ae67bdd0e98d2d26e05f2e83c0349234b4deb9314715aea01084fd11e7f77b2d4bba856aa7726e47

Download Submit
\Users\Admin\AppData\Local\Temp\SLAYER Leecher v0.7.exe

Filesize
6.6MB

MD5
aa0b6211f5245f25392b74fdbab048eb

SHA1
05c37446aca08847a2688257d0fb138f560b4db2

SHA256
74cb827e0324e02bae1b2632b624ff84bd4bd54b796bb046fa27f557ca8f8674

SHA512
97e44da681f5b7db132cd37b1a6305f45d5ec546a23ae3f55f8a8cd214e5c76d22947d12a844767c88fc1844f297f7ce7a85569859286b3b5816144979d05176

Download Submit
\Users\Admin\AppData\Roaming\Google Chrome.exe

Filesize
401KB

MD5
a1c7ef8040d424d0be7e7baf9cd9eac9

SHA1
e4c3fb057e9a65fc19c91b0dc253bd12da9dd8a4

SHA256
ff878da17f7e6ed17b55143f774390c1d851a5b9a745c6aa5155c1eb825283d4

SHA512
7a85635aa8a9210dd6ef1ff74724a5337f63dbe3c0df2d06460dbd3b63d59e2fde8e5f9a24c2575f58bf7d1a15fecd12e7ba98a83c948fd6983232e3193cbdbd

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
275KB

MD5
32a56b4e67436bdd3d39809a9be949b8

SHA1
dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc

SHA256
5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df

SHA512
70b8dc7b1509cfa3975c97baa4a2b49746fac2438307ab97ae67bdd0e98d2d26e05f2e83c0349234b4deb9314715aea01084fd11e7f77b2d4bba856aa7726e47

Download Submit
memory/860-56-0x0000000000000000-mapping.dmp

Download
memory/860-69-0x0000000000F60000-0x0000000000FCA000-memory.dmp

Filesize
424KB

Download
memory/972-70-0x0000000000000000-mapping.dmp

Download
memory/1324-64-0x0000000000000000-mapping.dmp

Download
memory/1324-68-0x0000000001360000-0x00000000019FC000-memory.dmp

Filesize
6.6MB

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1372-67-0x00000000011A0000-0x00000000011EA000-memory.dmp

Filesize
296KB

Download
memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download