redline | c4a4e9711a986b18ce9bd24527a8701bfcb30efeacd70206662c768555a2d8f9

General

Target

Setup.exe
Size

4.9MB
MD5

ac8ba09adf3b68f30c66161754abc4b8
SHA1

79e4b354e1fb3851fc82328e78ddc600f8b002e6
SHA256

c4a4e9711a986b18ce9bd24527a8701bfcb30efeacd70206662c768555a2d8f9
SHA512

a57df74480c12fac25358e6d2fcca09d05ce803b422e4b5e71252da9f01d9ce8aaee4aad9be5a5671dec75e4824e56dba4c23a53cb090b3f4a2970dc4211d08f
SSDEEP

98304:cmSvTP91uOuMvD+qhfvZQJilKExs6g2FkZ7Xg5HE:cdx1utMqqZvZk0xs6g2KZ7XkE

Score

10^/10

redline @workaem1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@workaem1

C2

77.73.134.24:80

Attributes

auth_value
2030dc6484c4b1a62d99fe219cba9cd6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3364-143-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
908	svhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 3364	1176	Setup.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1476	powershell.exe
1476	powershell.exe
3364	Setup.exe
3364	Setup.exe
2204	powershell.exe
2204	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	Setup.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3364	Setup.exe
Token: SeDebugPrivilege	2204	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1476	1176	Setup.exe	85
PID 1176 wrote to memory of 1476	1176	Setup.exe	85
PID 1176 wrote to memory of 1476	1176	Setup.exe	85
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 1176 wrote to memory of 3364	1176	Setup.exe	91
PID 3364 wrote to memory of 908	3364	Setup.exe	93
PID 3364 wrote to memory of 908	3364	Setup.exe	93
PID 908 wrote to memory of 2204	908	svhost.exe	94
PID 908 wrote to memory of 2204	908	svhost.exe	94
PID 2204 wrote to memory of 3428	2204	powershell.exe	96
PID 2204 wrote to memory of 3428	2204	powershell.exe	96

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\Setup.exe
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\Demeon.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\Demeon.exe
        5⤵
        Creates scheduled task(s)
        
        PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log

Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
61fb5e5ced01cd17ecba413a74f09021

SHA1
80ac98e1f0c057c0722d9f4dd8cc660b4c3b55d1

SHA256
307becd16c2e35886bcd2ceb1eebedb8b517a729d00daf56940bbd28dfcfc11c

SHA512
38ce190ed5c971de616780d5bb287e09058ecfedd373e512ae6267dd1066a447a21bdb5e25e1a74d229105626913bc316acbab5ba4f979030dd22a8120aa4f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
4.5MB

MD5
3862bfb4f1273249bd73a8cba326d9a1

SHA1
952fc20b5c6aefbbdffdd2f33035bf57f31322e2

SHA256
2cd9fea6d90b1971118a4b434ad7d51ec70e188824c755db0891adba40c458d8

SHA512
cf2f01e674684a6f869fc030c7ef51bd88155763de79423647879a319c249a8bfe85bdeccc0fc8e7b815021a0a3490aee126302438b35e3bddd41f3d4938180d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
4.5MB

MD5
3862bfb4f1273249bd73a8cba326d9a1

SHA1
952fc20b5c6aefbbdffdd2f33035bf57f31322e2

SHA256
2cd9fea6d90b1971118a4b434ad7d51ec70e188824c755db0891adba40c458d8

SHA512
cf2f01e674684a6f869fc030c7ef51bd88155763de79423647879a319c249a8bfe85bdeccc0fc8e7b815021a0a3490aee126302438b35e3bddd41f3d4938180d

Download Submit
memory/1176-132-0x0000000000830000-0x0000000000CC2000-memory.dmp

Filesize
4.6MB

Download
memory/1176-133-0x0000000005E70000-0x0000000005E92000-memory.dmp

Filesize
136KB

Download
memory/1476-140-0x00000000071C0000-0x000000000783A000-memory.dmp

Filesize
6.5MB

Download
memory/1476-137-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/1476-141-0x0000000006050000-0x000000000606A000-memory.dmp

Filesize
104KB

Download
memory/1476-138-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1476-139-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/1476-135-0x00000000045C0000-0x00000000045F6000-memory.dmp

Filesize
216KB

Download
memory/1476-136-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download
memory/2204-163-0x00007FFD504A0000-0x00007FFD50F61000-memory.dmp

Filesize
10.8MB

Download
memory/2204-162-0x00007FFD504A0000-0x00007FFD50F61000-memory.dmp

Filesize
10.8MB

Download
memory/2204-159-0x0000016C69AD0000-0x0000016C69AF2000-memory.dmp

Filesize
136KB

Download
memory/3364-146-0x0000000008DD0000-0x0000000008EDA000-memory.dmp

Filesize
1.0MB

Download
memory/3364-152-0x000000000B090000-0x000000000B5BC000-memory.dmp

Filesize
5.2MB

Download
memory/3364-153-0x000000000AB60000-0x000000000ABD6000-memory.dmp

Filesize
472KB

Download
memory/3364-154-0x000000000A240000-0x000000000A290000-memory.dmp

Filesize
320KB

Download
memory/3364-151-0x000000000A2B0000-0x000000000A472000-memory.dmp

Filesize
1.8MB

Download
memory/3364-150-0x000000000A5B0000-0x000000000AB54000-memory.dmp

Filesize
5.6MB

Download
memory/3364-149-0x0000000009F60000-0x0000000009FF2000-memory.dmp

Filesize
584KB

Download
memory/3364-148-0x0000000008EE0000-0x0000000008F1C000-memory.dmp

Filesize
240KB

Download
memory/3364-147-0x0000000008D60000-0x0000000008D72000-memory.dmp

Filesize
72KB

Download
memory/3364-145-0x0000000005F90000-0x00000000065A8000-memory.dmp

Filesize
6.1MB

Download
memory/3364-143-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads