redline | ddd2832de9b42fc2b5b4ad51c9db65d979fec3312aaed4b1a31aa439b0598569

General

Target

SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
Size

7KB
MD5

ea741cefe4cc499c682b9cea7d88c8af
SHA1

06736c7eae5d9c6b0ef7185d42b3227591d9f382
SHA256

ddd2832de9b42fc2b5b4ad51c9db65d979fec3312aaed4b1a31aa439b0598569
SHA512

07bd47d2d5552cfc187e8ce7cdc46ebb133df1065c5402f0903b8b908d824549c29c5d13ca3ed7e10f46fb3f75cd5d7f91307c8b7d7dca3d83070b9fb16f8250
SSDEEP

96:ayiUH8aVYVbJFfrabOk0L3ph+2zIIxOu61gy5jRqzNt:3iWWVtFf4OhL3phJIsOd1l5FM

Score

10^/10

redline sb9s5ylxvj discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

sB9s5YLxvJ

C2

192.3.223.202:3652

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/1368-67-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1368-69-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1368-68-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1368-70-0x000000000041933E-mapping.dmp	family_redline
behavioral1/memory/1368-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1368-74-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ggukpfvec = "\"C:\\Users\\Admin\\AppData\\Roaming\\Frpgmx\\Ggukpfvec.exe\""	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1568	powershell.exe
1368	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
1368	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1368	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1568	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	28
PID 1800 wrote to memory of 1568	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	28
PID 1800 wrote to memory of 1568	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	28
PID 1800 wrote to memory of 1568	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	28
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31
PID 1800 wrote to memory of 1368	1800	SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.23569.19997.15103.exe
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1368-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1368-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1368-70-0x000000000041933E-mapping.dmp

Download
memory/1368-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1368-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1368-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1368-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1568-63-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-62-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-61-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-59-0x0000000000000000-mapping.dmp

Download
memory/1800-54-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/1800-58-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/1800-57-0x0000000004320000-0x0000000004366000-memory.dmp

Filesize
280KB

Download
memory/1800-56-0x00000000052C0000-0x000000000534E000-memory.dmp

Filesize
568KB

Download
memory/1800-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads