redline | f694cfada7521c55767270213ce1b6c6f3bf434a376b172d5eeb5d732a1a960a

Analysis

max time kernel
116s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/10/2022, 21:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Installer/installer.exe
Size

573.1MB
MD5

836d5c8980966392f6ef7cfa091b95c7
SHA1

aa9e473c4a798a1bec3d8393b0bc91896e1075b4
SHA256

53864ad6097d98c2a38b03a079f143b45e6ce1bd13ad09cb60c8852bd96882c9
SHA512

fa3f348d96634656a92edb981331cb4666907993cd94932cf891d9bb10d59f7c885b5b122ca7f18e154213026d9229432873e41983214342486097c0d814e4c8
SSDEEP

12288:zqFDHXF32ful4Ke0pkQ/KOvS72vFBmcjf35lN/WfidDnsjPLCorsHwVGiBFF+vm9:OFr8GEwkoKOvS72yifgfdsHwR

Score

10^/10

redline test discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

test

89.22.238.112:16108

Attributes

auth_value
53d3260e19811ed645d4695958f97695

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1100-56-0x0000000035AA0000-0x0000000035B0A000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
980	chrome.exe
1184	chrome10.exe
110208	Avast security.exe

Loads dropped DLL 11 IoCs

pid	Process
1100	installer.exe
980	chrome.exe
980	chrome.exe
1100	installer.exe
1100	installer.exe
1184	chrome10.exe
1184	chrome10.exe
1184	chrome10.exe
110160	cmd.exe
110208	Avast security.exe
110208	Avast security.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleLibraryUpdater = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"	AppLaunch.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 109964	1184	chrome10.exe	34
PID 980 set thread context of 97656	980	chrome.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1100	installer.exe
1100	installer.exe
109964	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	installer.exe
Token: SeRestorePrivilege	1100	installer.exe
Token: SeBackupPrivilege	1100	installer.exe
Token: SeDebugPrivilege	109964	AppLaunch.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 980	1100	installer.exe	29
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 1100 wrote to memory of 1184	1100	installer.exe	32
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 1184 wrote to memory of 109964	1184	chrome10.exe	34
PID 1184 wrote to memory of 109964	1184	chrome10.exe	34
PID 1184 wrote to memory of 109964	1184	chrome10.exe	34
PID 1184 wrote to memory of 109964	1184	chrome10.exe	34
PID 1184 wrote to memory of 109964	1184	chrome10.exe	34
PID 1184 wrote to memory of 109964	1184	chrome10.exe	34
PID 980 wrote to memory of 97656	980	chrome.exe	33
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 109964 wrote to memory of 110160	109964	AppLaunch.exe	36
PID 110160 wrote to memory of 110208	110160	cmd.exe	38
PID 110160 wrote to memory of 110208	110160	cmd.exe	38
PID 110160 wrote to memory of 110208	110160	cmd.exe	38
PID 110160 wrote to memory of 110208	110160	cmd.exe	38
PID 110160 wrote to memory of 110208	110160	cmd.exe	38
PID 110160 wrote to memory of 110208	110160	cmd.exe	38
PID 110160 wrote to memory of 110208	110160	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\Installer\installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer\installer.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Adds Run key to start application
    PID:97656
- C:\Users\Admin\AppData\Local\Temp\chrome10.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome10.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:109964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:110160
    - - C:\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:110208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a3cbfb6b54e023903fd3c09168aefd1b

SHA1
df463641cb22517c6e98c96827efd567b5323206

SHA256
7e637e0083e0270970b11b14f69e753b9bff501f5e64162b361c3504096db56b

SHA512
c1a0171d613fe41bebf5d7d87d5a4dcdeaabdce4bbdfd4c57dcb9649d4343bc4aba388a28e74304042a5883f0319b4440f0c149ebc3c439d79c622fa29b3eaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
2.8MB

MD5
66dee7c8de0a7f51d6ba7d2deb326fbf

SHA1
c815b088a117ed3e1ab26d2f11f6bc5c4ea6c7e0

SHA256
1b552aa54fb5cfaf77f0f2538f91e8b3af2e6e38e226cdf3275dac661ea41349

SHA512
ce7586dbbaed4e06246a44b83623154120c14c6be2ab18155a928e07b595929ce3f61909b7735b8db32bbefde19bb2586b92049f020af524696d875932af8dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
2.8MB

MD5
66dee7c8de0a7f51d6ba7d2deb326fbf

SHA1
c815b088a117ed3e1ab26d2f11f6bc5c4ea6c7e0

SHA256
1b552aa54fb5cfaf77f0f2538f91e8b3af2e6e38e226cdf3275dac661ea41349

SHA512
ce7586dbbaed4e06246a44b83623154120c14c6be2ab18155a928e07b595929ce3f61909b7735b8db32bbefde19bb2586b92049f020af524696d875932af8dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
C:\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
2.8MB

MD5
66dee7c8de0a7f51d6ba7d2deb326fbf

SHA1
c815b088a117ed3e1ab26d2f11f6bc5c4ea6c7e0

SHA256
1b552aa54fb5cfaf77f0f2538f91e8b3af2e6e38e226cdf3275dac661ea41349

SHA512
ce7586dbbaed4e06246a44b83623154120c14c6be2ab18155a928e07b595929ce3f61909b7735b8db32bbefde19bb2586b92049f020af524696d875932af8dd9

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
2.8MB

MD5
66dee7c8de0a7f51d6ba7d2deb326fbf

SHA1
c815b088a117ed3e1ab26d2f11f6bc5c4ea6c7e0

SHA256
1b552aa54fb5cfaf77f0f2538f91e8b3af2e6e38e226cdf3275dac661ea41349

SHA512
ce7586dbbaed4e06246a44b83623154120c14c6be2ab18155a928e07b595929ce3f61909b7735b8db32bbefde19bb2586b92049f020af524696d875932af8dd9

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
2.8MB

MD5
66dee7c8de0a7f51d6ba7d2deb326fbf

SHA1
c815b088a117ed3e1ab26d2f11f6bc5c4ea6c7e0

SHA256
1b552aa54fb5cfaf77f0f2538f91e8b3af2e6e38e226cdf3275dac661ea41349

SHA512
ce7586dbbaed4e06246a44b83623154120c14c6be2ab18155a928e07b595929ce3f61909b7735b8db32bbefde19bb2586b92049f020af524696d875932af8dd9

Download Submit
\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
\Users\Admin\AppData\Local\Temp\chrome10.exe

Filesize
2.5MB

MD5
290c93308df219e3c7c1327ad92f96b8

SHA1
66f0eacaea6ff5a1a61c6a4135ed01915400127c

SHA256
4fa22e1bac38b218b5a4abdd93610d2208e1b4d2e2507aee1b804d966172690f

SHA512
69cd7e138d7c5ab3556e3a254a37b0d21ba4aa196786b936b01c97a32d0477280b9f831239d84435ab7ffe98b0d548eda27356b6ca88a07ba7884b82e060aabb

Download Submit
\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Users\Admin\AppData\Roaming\Media Center Programs\Avast security.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
memory/1100-57-0x0000000033200000-0x0000000033206000-memory.dmp

Filesize
24KB

Download
memory/1100-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1100-56-0x0000000035AA0000-0x0000000035B0A000-memory.dmp

Filesize
424KB

Download
memory/1100-58-0x00000000002C0000-0x000000000032E000-memory.dmp

Filesize
440KB

Download
memory/1100-55-0x00000000002C0000-0x000000000032E000-memory.dmp

Filesize
440KB

Download
memory/97656-77-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/97656-111-0x00000000003C0000-0x00000000003F5000-memory.dmp

Filesize
212KB

Download
memory/97656-98-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/97656-99-0x00000000003C0000-0x00000000003F5000-memory.dmp

Filesize
212KB

Download
memory/97656-95-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/97656-112-0x00000000003C0000-0x00000000003F5000-memory.dmp

Filesize
212KB

Download
memory/97656-75-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/109964-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/109964-93-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/109964-84-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/109964-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download