redline | 5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c

General

Target

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
Size

345KB
MD5

f1d121ab68b439ac310fb79119ffb044
SHA1

f952140c206d96843baa79f2e0e8454c07fa683a
SHA256

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c
SHA512

ca0a381a392f9ac1c2954042759955b50e6c1fa735609ac69710658e51c48191f0d99469847b3ebf3f40ce854cb0595387ad986aeacbb5ebd8d05666746e6d6d
SSDEEP

6144:GK5lpVV+1MszHze0x/qgMyy4oh5VyrsyaO6enVX9Pv71L8Er8:Hv1YzeDyy4osa6ljQE

Score

10^/10

redline 875784825 evasion infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

875784825

C2

79.137.192.6:8362

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/92800-158-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup23.exeMoUSO.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup23.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

setup23.exeMoUSO.exewatchdog.exe

pid process

3740 setup23.exe
1280 MoUSO.exe
3772 watchdog.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup23.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup23.exeMoUSO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup23.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation setup23.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	setup23.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

MoUSO.exesetup23.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	MoUSO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	setup23.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup23.exeMoUSO.exe

pid process

3740 setup23.exe
1280 MoUSO.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exewatchdog.exe

description	pid	process	target process
PID 840 set thread context of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 3772 set thread context of 92800	3772	watchdog.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2368 schtasks.exe

pid	process
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup23.exeMoUSO.exe

pid	process
3740	setup23.exe
3740	setup23.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe
1280	MoUSO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 92800 vbc.exe

description	pid	process
Token: SeDebugPrivilege	92800	vbc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exeRegSvcs.exesetup23.exewatchdog.exe

description	pid	process	target process
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 840 wrote to memory of 2612	840	5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe	RegSvcs.exe
PID 2612 wrote to memory of 3740	2612	RegSvcs.exe	setup23.exe
PID 2612 wrote to memory of 3740	2612	RegSvcs.exe	setup23.exe
PID 2612 wrote to memory of 3740	2612	RegSvcs.exe	setup23.exe
PID 3740 wrote to memory of 2368	3740	setup23.exe	schtasks.exe
PID 3740 wrote to memory of 2368	3740	setup23.exe	schtasks.exe
PID 3740 wrote to memory of 2368	3740	setup23.exe	schtasks.exe
PID 2612 wrote to memory of 3772	2612	RegSvcs.exe	watchdog.exe
PID 2612 wrote to memory of 3772	2612	RegSvcs.exe	watchdog.exe
PID 2612 wrote to memory of 3772	2612	RegSvcs.exe	watchdog.exe
PID 3772 wrote to memory of 92800	3772	watchdog.exe	vbc.exe
PID 3772 wrote to memory of 92800	3772	watchdog.exe	vbc.exe
PID 3772 wrote to memory of 92800	3772	watchdog.exe	vbc.exe
PID 3772 wrote to memory of 92800	3772	watchdog.exe	vbc.exe
PID 3772 wrote to memory of 92800	3772	watchdog.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe
"C:\Users\Admin\AppData\Local\Temp\5f52f4c26c16eceec69e49f93133b4fea3598f840ce5d8065d668dd99f47583c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\setup23.exe
"C:\Users\Admin\AppData\Local\Temp\setup23.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:2368

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:92800

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
d6b0775dc8b065f63eb1c316f861073c

SHA1
06053ace4e90b7b5e5ffd5ea60c508757332669a

SHA256
41417649008fbe3872c14d033ea49da0b91898f24030b98f2d587626c3a95d4f

SHA512
1bbf1436625d5a62f58ee44ac7dffa65291c727b6129990e0677edced90489ba051a6a325d99b8a232c532b41e7b4af49423d33a911dfab8ba56a93a5b63876c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
232d17b4cb2a97f9f1fbc40a74ef8a8a

SHA1
995b252960f3d8028aad7d25448529028d3c7896

SHA256
58754a45ae097847aa19f3aba79b8ff432f45cadc65fac5c62994998c26b2732

SHA512
b499bee6356e8f7b91e82db8574384a1eadbd3875989adfb58e722fad0dbdf2c8a580b000e72709c551a52b0d503b8ef931cb87fbaead953797eab6554f58e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup23.exe
Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup23.exe
Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
735d324569e557ae7d943929e4ff87e9

SHA1
141e0b89202dd8548c01d9ef55b7278222d8126b

SHA256
4a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e

SHA512
db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
2.5MB

MD5
735d324569e557ae7d943929e4ff87e9

SHA1
141e0b89202dd8548c01d9ef55b7278222d8126b

SHA256
4a3d5ca3d8e5b2e7a981c95b7229cf9d3de168be21c22b1bbfff1ee21b3b712e

SHA512
db94ecc52a54309f1eccfb0f6f18c92bd0ef4c4849fe5a528f270262ce2929637c74d63d4959b4e4e4c845d926332f6b5fd3b78a82322871d256f7566d6f1bee

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
5164546607112f8e62d25d4894705170

SHA1
8cec1cabfdd23909fa950ab6ff031da5fd6eb570

SHA256
390fd4d6b3b9f91adb35954d7985708a70a6acd08b23d3e00038d08ae1416471

SHA512
d5b95472b99e6a64e5532aa8e47171083dc90731d476ec1447c951126245f788c337e975111b50023e03d43629defc6b08200fc95d49460e85e134be73d65ebb

Download Submit
memory/1280-168-0x0000000000920000-0x0000000000C8E000-memory.dmp

Filesize
3.4MB

Download
memory/1280-167-0x0000000000920000-0x0000000000C8E000-memory.dmp

Filesize
3.4MB

Download
memory/1280-152-0x0000000000920000-0x0000000000C8E000-memory.dmp

Filesize
3.4MB

Download
memory/1280-150-0x0000000000920000-0x0000000000C8E000-memory.dmp

Filesize
3.4MB

Download
memory/1280-151-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/2368-145-0x0000000000000000-mapping.dmp

Download
memory/2612-132-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2612-136-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2612-155-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2612-135-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2612-133-0x0000000140003FAC-mapping.dmp

Download
memory/2612-134-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3740-142-0x0000000000650000-0x00000000009BE000-memory.dmp

Filesize
3.4MB

Download
memory/3740-147-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/3740-146-0x0000000000650000-0x00000000009BE000-memory.dmp

Filesize
3.4MB

Download
memory/3740-141-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/3740-137-0x0000000000000000-mapping.dmp

Download
memory/3740-140-0x0000000000650000-0x00000000009BE000-memory.dmp

Filesize
3.4MB

Download
memory/3772-153-0x0000000000000000-mapping.dmp

Download
memory/92800-165-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/92800-164-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/92800-163-0x0000000005590000-0x0000000005BA8000-memory.dmp

Filesize
6.1MB

Download
memory/92800-166-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/92800-158-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/92800-157-0x0000000000000000-mapping.dmp

Download
memory/92800-169-0x0000000006320000-0x00000000064E2000-memory.dmp

Filesize
1.8MB

Download
memory/92800-170-0x0000000006A20000-0x0000000006F4C000-memory.dmp

Filesize
5.2MB

Download
memory/92800-171-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/92800-172-0x0000000007500000-0x0000000007AA4000-memory.dmp

Filesize
5.6MB

Download
memory/92800-173-0x0000000006700000-0x0000000006776000-memory.dmp

Filesize
472KB

Download
memory/92800-174-0x0000000006820000-0x00000000068B2000-memory.dmp

Filesize
584KB

Download
memory/92800-175-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads