redline | 43fcbced48b47166f1e3076c6e67a9fa24994777ae13d9420c4865f01292f8b4

Analysis

max time kernel
424s
max time network
432s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftRuntimeComponents.exe
Size

833.5MB
MD5

ad71745bcb2bb1d4a79ec5c75062d09b
SHA1

4545aecb1eb4c1a24641512b90b66782fea36fc9
SHA256

a91873b251e1715b1e8b08e11625ff41299101145532ec7d2dfc2a388e3ba7b0
SHA512

47f8bc782f58bcf469dee10ec729e919be561dc21c74231516aca3451b989381ed70b30629575a182a9e4f93f17f085ef468003d2480b003e9ac710af9ec1dfa
SSDEEP

12288:GnjoJLD6/JnWZQzjFeM6DJOjB9sTTHymtrGj2PLpKDqXt1M4fN1rslbEpWxUF3HM:CnYQb6VOOiqE+U4fNRzHOS

Score

10^/10

redline 4 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

65.108.208.77:7079

Attributes

auth_value
5960e9132cc19aa61f05cfde86bd2272

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

MicrosoftRuntimeComponents.exe

description pid process target process

PID 1348 set thread context of 1664 1348 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MicrosoftRuntimeComponents.exe

pid process

1664 MicrosoftRuntimeComponents.exe
1664 MicrosoftRuntimeComponents.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MicrosoftRuntimeComponents.exeMicrosoftRuntimeComponents.exe

description pid process

Token: SeDebugPrivilege 1348 MicrosoftRuntimeComponents.exe
Token: SeDebugPrivilege 1664 MicrosoftRuntimeComponents.exe

description	pid	process	target process
PID 1348 set thread context of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe

pid	process
1664	MicrosoftRuntimeComponents.exe
1664	MicrosoftRuntimeComponents.exe

description	pid	process
Token: SeDebugPrivilege	1348	MicrosoftRuntimeComponents.exe
Token: SeDebugPrivilege	1664	MicrosoftRuntimeComponents.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

MicrosoftRuntimeComponents.exe

description	pid	process	target process
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 1348 wrote to memory of 1664	1348	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe

C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-54-0x0000000000D30000-0x0000000000EB0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-55-0x0000000005DE0000-0x0000000005E90000-memory.dmp

Filesize
704KB

Download
memory/1348-56-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/1664-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-63-0x0000000000417BDE-mapping.dmp

Download
memory/1664-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1664-68-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download