redline | 43fcbced48b47166f1e3076c6e67a9fa24994777ae13d9420c4865f01292f8b4

Analysis

max time kernel
370s
max time network
436s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
10-10-2022 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftRuntimeComponents.exe
Size

833.5MB
MD5

ad71745bcb2bb1d4a79ec5c75062d09b
SHA1

4545aecb1eb4c1a24641512b90b66782fea36fc9
SHA256

a91873b251e1715b1e8b08e11625ff41299101145532ec7d2dfc2a388e3ba7b0
SHA512

47f8bc782f58bcf469dee10ec729e919be561dc21c74231516aca3451b989381ed70b30629575a182a9e4f93f17f085ef468003d2480b003e9ac710af9ec1dfa
SSDEEP

12288:GnjoJLD6/JnWZQzjFeM6DJOjB9sTTHymtrGj2PLpKDqXt1M4fN1rslbEpWxUF3HM:CnYQb6VOOiqE+U4fNRzHOS

Score

10^/10

redline 4 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

65.108.208.77:7079

Attributes

auth_value
5960e9132cc19aa61f05cfde86bd2272

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

MicrosoftRuntimeComponents.exe

description pid process target process

PID 2340 set thread context of 1420 2340 MicrosoftRuntimeComponents.exe MicrosoftRuntimeComponents.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MicrosoftRuntimeComponents.exeMicrosoftRuntimeComponents.exe

pid process

2340 MicrosoftRuntimeComponents.exe
2340 MicrosoftRuntimeComponents.exe
1420 MicrosoftRuntimeComponents.exe
1420 MicrosoftRuntimeComponents.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MicrosoftRuntimeComponents.exeMicrosoftRuntimeComponents.exe

description pid process

Token: SeDebugPrivilege 2340 MicrosoftRuntimeComponents.exe
Token: SeDebugPrivilege 1420 MicrosoftRuntimeComponents.exe

description	pid	process	target process
PID 2340 set thread context of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe

pid	process
2340	MicrosoftRuntimeComponents.exe
2340	MicrosoftRuntimeComponents.exe
1420	MicrosoftRuntimeComponents.exe
1420	MicrosoftRuntimeComponents.exe

description	pid	process
Token: SeDebugPrivilege	2340	MicrosoftRuntimeComponents.exe
Token: SeDebugPrivilege	1420	MicrosoftRuntimeComponents.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

MicrosoftRuntimeComponents.exe

description	pid	process	target process
PID 2340 wrote to memory of 3696	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 3696	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 3696	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe
PID 2340 wrote to memory of 1420	2340	MicrosoftRuntimeComponents.exe	MicrosoftRuntimeComponents.exe

C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
2⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftRuntimeComponents.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MicrosoftRuntimeComponents.exe.log
Filesize
1KB

MD5
5c01a57bb6376dc958d99ed7a67870ff

SHA1
d092c7dfd148ac12b086049d215e6b00bd78628d

SHA256
cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4

SHA512
e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038

Download Submit
memory/1420-241-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/1420-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-257-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/1420-253-0x0000000006610000-0x0000000006686000-memory.dmp

Filesize
472KB

Download
memory/1420-252-0x0000000005BE0000-0x0000000005C30000-memory.dmp

Filesize
320KB

Download
memory/1420-244-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/1420-174-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-240-0x0000000005F90000-0x000000000648E000-memory.dmp

Filesize
5.0MB

Download
memory/1420-236-0x0000000004FC0000-0x000000000500B000-memory.dmp

Filesize
300KB

Download
memory/1420-228-0x0000000004F40000-0x0000000004F7E000-memory.dmp

Filesize
248KB

Download
memory/1420-225-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/1420-224-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

Filesize
72KB

Download
memory/1420-175-0x0000000000417BDE-mapping.dmp

Download
memory/1420-258-0x0000000006970000-0x0000000006B32000-memory.dmp

Filesize
1.8MB

Download
memory/1420-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-259-0x0000000007A10000-0x0000000007F3C000-memory.dmp

Filesize
5.2MB

Download
memory/1420-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1420-223-0x0000000005480000-0x0000000005A86000-memory.dmp

Filesize
6.0MB

Download
memory/2340-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-153-0x0000000000CA0000-0x0000000000E20000-memory.dmp

Filesize
1.5MB

Download
memory/2340-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-162-0x0000000005C40000-0x0000000005CF0000-memory.dmp

Filesize
704KB

Download
memory/2340-163-0x0000000005D60000-0x0000000005DF2000-memory.dmp

Filesize
584KB

Download
memory/2340-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-167-0x0000000005E50000-0x0000000005E72000-memory.dmp

Filesize
136KB

Download
memory/2340-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-169-0x0000000005F80000-0x00000000062D0000-memory.dmp

Filesize
3.3MB

Download
memory/2340-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download