redline | ac77a1b2a864a90a510537b096cdd499b2fa4695fb8112e9e2f1d200ec4a8c12

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8cd12acb64e52f34387ade85b0fb18.exe
Size

965KB
MD5

bf8cd12acb64e52f34387ade85b0fb18
SHA1

e538eba64d5134636fb14abf0bd4580b2d9b13ca
SHA256

ac77a1b2a864a90a510537b096cdd499b2fa4695fb8112e9e2f1d200ec4a8c12
SHA512

b05530161f35e6c462516ff0584210a63e34748987f1aba2566f54ac9b27e4985577e239d45eddce6286067a3436d0741f4fc88eb5f393668d9446a25ba561f4
SSDEEP

24576:G53uhFbHKXdz66otpMa0pVYMfDE849CNlJSk3Pnzu:G5+hFWtzRGpMdL9fDE849CN/Skfzu

Score

10^/10

redline 0808-ab infostealer

Malware Config

Extracted

Family

redline

Botnet

0808-ab

144.202.95.227:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3108-159-0x0000000000D70000-0x0000000000D9C000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4748	csrss.com
4348	csrss.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bf8cd12acb64e52f34387ade85b0fb18.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 3108	4348	csrss.com	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4936	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1484	PING.EXE
4804	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
3108	RegAsm.exe
3108	RegAsm.exe
3108	RegAsm.exe
3108	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	3108	RegAsm.exe
Token: SeDebugPrivilege	4936	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4748	csrss.com
4748	csrss.com
4748	csrss.com
4348	csrss.com
4348	csrss.com
4348	csrss.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4748	csrss.com
4748	csrss.com
4748	csrss.com
4348	csrss.com
4348	csrss.com
4348	csrss.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4884	2652	bf8cd12acb64e52f34387ade85b0fb18.exe	82
PID 2652 wrote to memory of 4884	2652	bf8cd12acb64e52f34387ade85b0fb18.exe	82
PID 2652 wrote to memory of 4884	2652	bf8cd12acb64e52f34387ade85b0fb18.exe	82
PID 4884 wrote to memory of 4924	4884	cmd.exe	84
PID 4884 wrote to memory of 4924	4884	cmd.exe	84
PID 4884 wrote to memory of 4924	4884	cmd.exe	84
PID 4924 wrote to memory of 4804	4924	cmd.exe	85
PID 4924 wrote to memory of 4804	4924	cmd.exe	85
PID 4924 wrote to memory of 4804	4924	cmd.exe	85
PID 4924 wrote to memory of 4844	4924	cmd.exe	86
PID 4924 wrote to memory of 4844	4924	cmd.exe	86
PID 4924 wrote to memory of 4844	4924	cmd.exe	86
PID 4924 wrote to memory of 4748	4924	cmd.exe	87
PID 4924 wrote to memory of 4748	4924	cmd.exe	87
PID 4924 wrote to memory of 4748	4924	cmd.exe	87
PID 4924 wrote to memory of 1484	4924	cmd.exe	88
PID 4924 wrote to memory of 1484	4924	cmd.exe	88
PID 4924 wrote to memory of 1484	4924	cmd.exe	88
PID 4748 wrote to memory of 4348	4748	csrss.com	89
PID 4748 wrote to memory of 4348	4748	csrss.com	89
PID 4748 wrote to memory of 4348	4748	csrss.com	89
PID 2652 wrote to memory of 4932	2652	bf8cd12acb64e52f34387ade85b0fb18.exe	90
PID 2652 wrote to memory of 4932	2652	bf8cd12acb64e52f34387ade85b0fb18.exe	90
PID 2652 wrote to memory of 4932	2652	bf8cd12acb64e52f34387ade85b0fb18.exe	90
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98
PID 4348 wrote to memory of 3108	4348	csrss.com	98

C:\Users\Admin\AppData\Local\Temp\bf8cd12acb64e52f34387ade85b0fb18.exe
"C:\Users\Admin\AppData\Local\Temp\bf8cd12acb64e52f34387ade85b0fb18.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < gsTWaUtfdIy.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 BChfuO.bIvPIb
      4⤵
      Runs ping.exe
      PID:4804
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode RMBMfDVJsYtfOtLClj.com w
      4⤵
      PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
      csrss.com w
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com w
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 3108 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 3108
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:444
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -en JABnAHoAeQBiACAAPQAgACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAHQAZQByACAAIgBwAHIAbwBjAGUAcwBzAGkAZAA9ACQAcABpAGQAIgApAC4AcABhAHIAZQBuAHQAcAByAG8AYwBlAHMAcwBpAGQAOwAgACQAdwBlAHgAIAA9ACAAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAdwBpAG4AMwAyAF8AcAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAdABlAHIAIAAiAHAAcgBvAGMAZQBzAHMAaQBkAD0AJABnAHoAeQBiACIAKQAuAGUAeABlAGMAdQB0AGEAYgBsAGUAcABhAHQAaAA7ACAAUwB0AG8AcAAtAFAAcgBvAGMAZQBzAHMAIAAtAEkARAAgACQAZwB6AHkAYgAgAC0ARgBvAHIAYwBlADsAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAHAAYQB0AGgAIAAkAHcAZQB4AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RMBMfDVJsYtfOtLClj.com

Filesize
1.0MB

MD5
933008580964d519a02f4b588108bdb4

SHA1
4856a2fa045b4370bee05542abaec4cc595ddeb0

SHA256
81d77697d8dc9caaada1594549fd50e0efafa38f91cf56b8e75259bba13fd0ac

SHA512
3e00a7b10c17fa1ea7260d62283eb5afc0318e60386fc80904817024c6b9793e2d27b0b07efbc694e1435944b530894103598f6e148277579f75f6935f7e596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\UHgfmTHdwSmBZQWsnF.com

Filesize
154KB

MD5
94afefeee0f34c3fe9bce965736f91cd

SHA1
d3fd61d42a6d8df0886d0d827791a8af5c4fb318

SHA256
357e29849c872014ea9af003c6755a857808dcd678e464d0beb65a5ba9ace69d

SHA512
2b181eb28aa640f7ca7017edbee00792a83647b13f8380f2d2dab1763f9350364eb5421279a58c16ac51fba65232ba7d1a04b845a1732cb16ce0618440e6693c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\csrss.com

Filesize
921KB

MD5
8ed172328f643375ac09b31ffba0eb63

SHA1
c6716e5e5a311f597e37c5660b0387ab8f77b2a0

SHA256
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928

SHA512
79efbac3cbf2bbbf1b5572a3036845fd544210a01adf9850d22587df12fd84832e14e8f7e0476955a8d9bb42ff0be5ca4443cee8e83dc396e70d850e31c60938

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\gsTWaUtfdIy.com

Filesize
410B

MD5
bc98680b05d09039d8f0ce53c92fce23

SHA1
2dc2da559d9cafeb9104a88fb6aec0af9e41efef

SHA256
89fa517cdaf5c467ee9b5babf559991e915fbb1e27400d81d40deb1834075dab

SHA512
414b86061b229d0468065c3b365846525e4f428725ead2a191f6eb9a76ad3a3aea7bf13f3d94274017f0794e2c86ae2ca39e214e03c42a411d7f02afd77fae08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\lxUwnmQHLTelioanY.com

Filesize
921KB

MD5
c317736793ef5129f12a3568cd679422

SHA1
e68b55969c5f2159c847a629fac3731c0c315d53

SHA256
cbb5d906c63cbcb891b35e53156b643ac26c5dec922f43b2fd121ccca60beb62

SHA512
69cb5fd5f1a30c3c786ca945b8de6a460d03605fc3416a3c33e69691603e1a43ad0cfefe9cd5d6af1a154b701ecf34526cc05d9235a4e38acf994eb0edb1a82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\w

Filesize
776KB

MD5
f199cb4506da1c476ea6815ce34b0b78

SHA1
f12014971bc9d510962399d88cd8057a963e63a1

SHA256
fa6b8755da00b034511195fb9c65f33ec170daa34585e175b3f7e94ebcbb7d0a

SHA512
8dd42cf9ed168f07b120f60b99a815439a7510e6d4e165be6c689fdf6e13b1affc2647bf3f4a7f1a227d560e88d250158812f3072e71a374944942de9b1647d0

Download Submit
memory/3108-162-0x0000000017510000-0x000000001754C000-memory.dmp

Filesize
240KB

Download
memory/3108-163-0x00000000177B0000-0x00000000178BA000-memory.dmp

Filesize
1.0MB

Download
memory/3108-161-0x00000000174B0000-0x00000000174C2000-memory.dmp

Filesize
72KB

Download
memory/3108-160-0x0000000017BB0000-0x00000000181C8000-memory.dmp

Filesize
6.1MB

Download
memory/3108-159-0x0000000000D70000-0x0000000000D9C000-memory.dmp

Filesize
176KB

Download
memory/4932-148-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/4932-155-0x0000000006D50000-0x0000000006D72000-memory.dmp

Filesize
136KB

Download
memory/4932-156-0x00000000080E0000-0x0000000008684000-memory.dmp

Filesize
5.6MB

Download
memory/4932-157-0x0000000008D10000-0x000000000938A000-memory.dmp

Filesize
6.5MB

Download
memory/4932-154-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

Filesize
104KB

Download
memory/4932-153-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/4932-152-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/4932-151-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/4932-150-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/4932-149-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/4932-147-0x0000000003300000-0x0000000003336000-memory.dmp

Filesize
216KB

Download