redline | 0d09a4ab3e8ceb83ed61d72f369dafe02bcfee6e57551b3a9077aee0a718aee8

General

Target

file.exe
Size

355KB
MD5

2d497f4c12f1f0167fc10ecf35f723d4
SHA1

96a8d7fead7f50bcc39ff986b289e9cc240a8f20
SHA256

0d09a4ab3e8ceb83ed61d72f369dafe02bcfee6e57551b3a9077aee0a718aee8
SHA512

9efb947c9bab3a0e29f80b0697ab621728f92b1fd08e6bea4143bf421634397ffd7ad5020f3b7314aca2818df1355f8986e9389fa8b006e660c14ad4381564a3
SSDEEP

6144:K3e/3W0KIVKIV41+YlMQxQHyeNnCm0AO0MRll/UGk2YLJK2iRdh:KW3W0KIVKL+YlJFZtnpk2YLJmdh

Score

10^/10

redline logsdiller cloud (tg: @mr_golds)infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

C2

51.89.201.21:7161

Attributes

auth_value
4b2de03af6b6ac513ac597c2e6c1ad51

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2480-132-0x0000000000F90000-0x0000000000FEC000-memory.dmp	family_redline
behavioral2/memory/3328-134-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/2480-139-0x0000000000F90000-0x0000000000FEC000-memory.dmp	family_redline

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

44 3936 WScript.exe
45 3936 WScript.exe
46 3936 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

setu2p.exe

pid process

2488 setu2p.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
44	3936	WScript.exe
45	3936	WScript.exe
46	3936	WScript.exe

pid	process
2488	setu2p.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exesetu2p.exe

description	pid	process	target process
PID 2480 set thread context of 3328	2480	file.exe	RegSvcs.exe
PID 2488 set thread context of 3112	2488	setu2p.exe	RegSvcs.exe

Modifies registry class 1 IoCs

Processes:

RegSvcs.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

3328 RegSvcs.exe
3328 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3328 RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	RegSvcs.exe

pid	process
3328	RegSvcs.exe
3328	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3328	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeRegSvcs.exemsedge.exesetu2p.exe

description	pid	process	target process
PID 2480 wrote to memory of 3328	2480	file.exe	RegSvcs.exe
PID 2480 wrote to memory of 3328	2480	file.exe	RegSvcs.exe
PID 2480 wrote to memory of 3328	2480	file.exe	RegSvcs.exe
PID 2480 wrote to memory of 3328	2480	file.exe	RegSvcs.exe
PID 2480 wrote to memory of 3328	2480	file.exe	RegSvcs.exe
PID 3328 wrote to memory of 2228	3328	RegSvcs.exe	msedge.exe
PID 3328 wrote to memory of 2228	3328	RegSvcs.exe	msedge.exe
PID 2228 wrote to memory of 3604	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 3604	2228	msedge.exe	msedge.exe
PID 3328 wrote to memory of 3936	3328	RegSvcs.exe	WScript.exe
PID 3328 wrote to memory of 3936	3328	RegSvcs.exe	WScript.exe
PID 3328 wrote to memory of 3936	3328	RegSvcs.exe	WScript.exe
PID 3328 wrote to memory of 2488	3328	RegSvcs.exe	setu2p.exe
PID 3328 wrote to memory of 2488	3328	RegSvcs.exe	setu2p.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2488 wrote to memory of 3112	2488	setu2p.exe	RegSvcs.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe
PID 2228 wrote to memory of 2828	2228	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl
3⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee86646f8,0x7ffee8664708,0x7ffee8664718
4⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13713000100298329823,15679615994250235746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:2828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\se21t2up.vbs"
3⤵
- Blocklisted process makes network request
PID:3936

C:\Users\Admin\AppData\Local\Temp\setu2p.exe
"C:\Users\Admin\AppData\Local\Temp\setu2p.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
4⤵
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\se21t2up.vbs
Filesize
105B

MD5
064f2ad8b3f9af378e25c0b020ec1032

SHA1
c1e33a06caf2a9bff748a4f25a21902883e7e32d

SHA256
5352edec4a906a9ee0722236f82cbce8704df1e1654d36ed96e1a3aa45ea08ed

SHA512
6886f7cc1e5b559aab638e926e3dd8a86433861a42538aefabd187f72bbad092696f90971f980f52ab8f6dce851019ff162467baa1477db0ee6dec89e666d4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\setu2p.exe
Filesize
344KB

MD5
fcca5d8a8af3426aeb3adde55b63bd56

SHA1
add2df1738a6400f80b25f2ba1c2d4b9df1b3c64

SHA256
f1962300bb7fe971f5fa288a5ae9bf4c6c0ae848481d150eb23d9dccbb61847b

SHA512
c367496d785aee0183b0a6aaa6bb4c99468ad5efe7be61ed06884607451093173909ee384f208e2379508c35a4e853b7505182cf4bd4919c9e86f374f14c5fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setu2p.exe
Filesize
344KB

MD5
fcca5d8a8af3426aeb3adde55b63bd56

SHA1
add2df1738a6400f80b25f2ba1c2d4b9df1b3c64

SHA256
f1962300bb7fe971f5fa288a5ae9bf4c6c0ae848481d150eb23d9dccbb61847b

SHA512
c367496d785aee0183b0a6aaa6bb4c99468ad5efe7be61ed06884607451093173909ee384f208e2379508c35a4e853b7505182cf4bd4919c9e86f374f14c5fd7

Download Submit
memory/2228-151-0x0000000000000000-mapping.dmp

Download
memory/2480-139-0x0000000000F90000-0x0000000000FEC000-memory.dmp

Filesize
368KB

Download
memory/2480-132-0x0000000000F90000-0x0000000000FEC000-memory.dmp

Filesize
368KB

Download
memory/2488-155-0x0000000000000000-mapping.dmp

Download
memory/2828-165-0x0000000000000000-mapping.dmp

Download
memory/3112-161-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3112-158-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3112-159-0x0000000140003E0C-mapping.dmp

Download
memory/3112-160-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3112-162-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3112-163-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/3328-143-0x0000000004E90000-0x0000000004ECC000-memory.dmp

Filesize
240KB

Download
memory/3328-146-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/3328-133-0x0000000000000000-mapping.dmp

Download
memory/3328-134-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3328-149-0x00000000087D0000-0x0000000008992000-memory.dmp

Filesize
1.8MB

Download
memory/3328-148-0x0000000005EA0000-0x0000000005EF0000-memory.dmp

Filesize
320KB

Download
memory/3328-147-0x0000000005E20000-0x0000000005E96000-memory.dmp

Filesize
472KB

Download
memory/3328-150-0x0000000008ED0000-0x00000000093FC000-memory.dmp

Filesize
5.2MB

Download
memory/3328-145-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/3328-144-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/3328-142-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/3328-141-0x0000000004ED0000-0x0000000004FDA000-memory.dmp

Filesize
1.0MB

Download
memory/3328-140-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/3604-152-0x0000000000000000-mapping.dmp

Download
memory/3936-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads