redline | 29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1

General

Target

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Size

785KB
MD5

d6e9e86e003086022805cd59d1a406bd
SHA1

514a4aaa1d1a0577fb1f84ff5d36cba8ea9619ea
SHA256

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1
SHA512

bff9b88db4187f31f1aa4f405d676df909eacf5ad48a9f413278e2fdc656e735c0ab265f0f4cdc87b8885d15109ffc7cfca071faca9352988ec2a6f0afb36ac9
SSDEEP

1536:Wrae78zjORCDGwfdCSog01313os5gP2DKPJY8rPf128M+ZtgTr2u92PUmqIf0O0Q:uahKyd2n31x5BuIZ7T9vGPr

Score

10^/10

redline bethoven discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

bethoven

C2

185.215.113.46:8223

Attributes

auth_value
42d21fccbcd8cb0441971e6ed0b0897a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4108-146-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2744	SETUP_~1.EXE
4108	SETUP_~1.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 4108	2744	SETUP_~1.EXE	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4324	powershell.exe
4324	powershell.exe
4108	SETUP_~1.EXE
4108	SETUP_~1.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	SETUP_~1.EXE
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4108	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 2744	3740	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	82
PID 3740 wrote to memory of 2744	3740	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	82
PID 3740 wrote to memory of 2744	3740	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	82
PID 2744 wrote to memory of 4324	2744	SETUP_~1.EXE	89
PID 2744 wrote to memory of 4324	2744	SETUP_~1.EXE	89
PID 2744 wrote to memory of 4324	2744	SETUP_~1.EXE	89
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92
PID 2744 wrote to memory of 4108	2744	SETUP_~1.EXE	92

C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
"C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SETUP_~1.EXE.log

Filesize
1KB

MD5
e87e48b105757e1c7563d1c719059733

SHA1
28a3f2b2e0672da2b531f4757d2b20b53032dafc

SHA256
0aaf22dc84cc3fcfe53de7ccfed8e662247dfb7f1a9967032c88790d0c663461

SHA512
bf19c5743143aee914a453c41189c722c9b90a5b8bf299cecf3e1f97656d32cd209ecb74da8aebc89bb41c27d189f73aaaabbc64fe383410c95dc76ad4218968

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
memory/2744-135-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/2744-136-0x00000000073A0000-0x00000000073C2000-memory.dmp

Filesize
136KB

Download
memory/4108-154-0x0000000006BD0000-0x0000000007174000-memory.dmp

Filesize
5.6MB

Download
memory/4108-149-0x0000000005BB0000-0x00000000061C8000-memory.dmp

Filesize
6.1MB

Download
memory/4108-153-0x0000000006580000-0x0000000006612000-memory.dmp

Filesize
584KB

Download
memory/4108-152-0x00000000056C0000-0x00000000056FC000-memory.dmp

Filesize
240KB

Download
memory/4108-151-0x0000000005660000-0x0000000005672000-memory.dmp

Filesize
72KB

Download
memory/4108-150-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/4108-146-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4108-155-0x00000000069A0000-0x0000000006B62000-memory.dmp

Filesize
1.8MB

Download
memory/4108-156-0x00000000076B0000-0x0000000007BDC000-memory.dmp

Filesize
5.2MB

Download
memory/4324-138-0x0000000000B70000-0x0000000000BA6000-memory.dmp

Filesize
216KB

Download
memory/4324-144-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/4324-143-0x00000000070E0000-0x000000000775A000-memory.dmp

Filesize
6.5MB

Download
memory/4324-142-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/4324-141-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/4324-140-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/4324-139-0x0000000004C20000-0x0000000005248000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing