redline | d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31

General

Target

66721704fcb230df0479066c961b704d.exe
Size

1.3MB
MD5

66721704fcb230df0479066c961b704d
SHA1

06846af0ac608f14177c26cb3c15bf2a028a736e
SHA256

d3eadb0bfec97357ff2aab4b1a0cf0e241de29eef7c67c9def68b40142fe1f31
SHA512

9b05d40c8f11dc360473cf072bd9d79642cd27cf9d37b43a878c7228093c4a7fc92da1633492e5495be88c29cb0c2051f93ddf4633478db04570400cd853e4ff
SSDEEP

24576:mpRkyTKA1eBSjvjmviCWYoa19btJGnjPGcoielIYACCSFAsnCE:BU5ex6zxa19btJGnrguYAERC

Score

10^/10

redline @ebaniynoyname infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

@EBANIYNOYNAME

C2

82.115.223.162:26393

Attributes

auth_value
3517499b9df589c8c64f775931cb7b6d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/101772-133-0x0000000000430000-0x0000000000458000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3188	Ubisoft.exe
1560	Ubisoft.exe
2916	Decoder.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Ubisoft.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Ubisoft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Ubisoft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Thyzblmtm = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mbirag\\Thyzblmtm.exe\""	Ubisoft.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 101772	1500	66721704fcb230df0479066c961b704d.exe	83
PID 3188 set thread context of 1560	3188	Ubisoft.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
101980	1500	WerFault.exe	80

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2916	Decoder.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
101772	vbc.exe
101772	vbc.exe
3968	powershell.exe
3968	powershell.exe
3188	Ubisoft.exe
3188	Ubisoft.exe
3188	Ubisoft.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	101772	vbc.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3188	Ubisoft.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 101772	1500	66721704fcb230df0479066c961b704d.exe	83
PID 1500 wrote to memory of 101772	1500	66721704fcb230df0479066c961b704d.exe	83
PID 1500 wrote to memory of 101772	1500	66721704fcb230df0479066c961b704d.exe	83
PID 1500 wrote to memory of 101772	1500	66721704fcb230df0479066c961b704d.exe	83
PID 1500 wrote to memory of 101772	1500	66721704fcb230df0479066c961b704d.exe	83
PID 101772 wrote to memory of 3188	101772	vbc.exe	93
PID 101772 wrote to memory of 3188	101772	vbc.exe	93
PID 3188 wrote to memory of 3968	3188	Ubisoft.exe	95
PID 3188 wrote to memory of 3968	3188	Ubisoft.exe	95
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 3188 wrote to memory of 1560	3188	Ubisoft.exe	97
PID 1560 wrote to memory of 2916	1560	Ubisoft.exe	98
PID 1560 wrote to memory of 2916	1560	Ubisoft.exe	98
PID 1560 wrote to memory of 2916	1560	Ubisoft.exe	98

C:\Users\Admin\AppData\Local\Temp\66721704fcb230df0479066c961b704d.exe
"C:\Users\Admin\AppData\Local\Temp\66721704fcb230df0479066c961b704d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:101772
- - C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
    "C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
      C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 98680
  2⤵
  - Program crash
  PID:101980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1500 -ip 1500
1⤵
PID:101848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
560.8MB

MD5
7b9a9b18c5b687c641fd029d9b730af9

SHA1
4e6e8bdda1aa7f59ff3da07dbdf4fdde4fded570

SHA256
939a930507137c8147bd4e9b93d24930c13bda9fed9d35eb9cf4d3a64abe8561

SHA512
d46a02623769179349f1da5c1cddd9c550f0c5dec44644a98d5d718126b17ff6650aa2172a2423c005ece527a40614079cf1492b66b510943114f2a4bb6eda9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
601.7MB

MD5
9d8e71ae4157ea86ba771d0ca7d1f748

SHA1
c6ffe12d777931877dc8f0fdddd39667b1ebbab4

SHA256
18b6296e1687472abe94baf2fa4567b3a8c2f651441d9485a13ba48ec9a5481d

SHA512
30decef87d5904559c3390abf4c7d48f89a32e57cb6b66724e86517f6459ff014d71858c80cea1f16412eb531bacb8c4080c5511bf0f5b5daa329df52818badd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ubisoft.exe

Filesize
1.5MB

MD5
49ea5876ebd50e9dc4abf82075543af3

SHA1
738f86ae40a01e6abcfd687e680ec42c96882caa

SHA256
35934fa08336d8dd4a47f495a9a39a2b055e45e0ffa6058d375bfb562f9c87c2

SHA512
1119dde5c345e6ef9cba5bd52ec97a4297e7ed7516c8a17f7683683bb68d4a4622ccb5952453c1d78fb61dbb21dc8896c8aba4934256e8434eedf2b8ad8f08e7

Download Submit
memory/1560-164-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1560-166-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1560-171-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1560-163-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1560-160-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2916-170-0x0000000000840000-0x00000000009F2000-memory.dmp

Filesize
1.7MB

Download
memory/2916-172-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/3188-154-0x00000174378C0000-0x00000174378E2000-memory.dmp

Filesize
136KB

Download
memory/3188-152-0x000001741CE30000-0x000001741CFBC000-memory.dmp

Filesize
1.5MB

Download
memory/3188-153-0x00007FFCA9AE0000-0x00007FFCAA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-165-0x00007FFCA9AE0000-0x00007FFCAA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-157-0x00007FFCA9AE0000-0x00007FFCAA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3968-156-0x00007FFCA9AE0000-0x00007FFCAA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3968-158-0x00007FFCA9AE0000-0x00007FFCAA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/3968-159-0x00007FFCA9AE0000-0x00007FFCAA5A1000-memory.dmp

Filesize
10.8MB

Download
memory/101772-147-0x0000000008060000-0x0000000008222000-memory.dmp

Filesize
1.8MB

Download
memory/101772-148-0x0000000008E20000-0x000000000934C000-memory.dmp

Filesize
5.2MB

Download
memory/101772-146-0x0000000005510000-0x0000000005560000-memory.dmp

Filesize
320KB

Download
memory/101772-145-0x0000000005490000-0x0000000005506000-memory.dmp

Filesize
472KB

Download
memory/101772-144-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/101772-143-0x0000000008340000-0x00000000088E4000-memory.dmp

Filesize
5.6MB

Download
memory/101772-142-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/101772-141-0x00000000073A0000-0x00000000073DC000-memory.dmp

Filesize
240KB

Download
memory/101772-140-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/101772-139-0x0000000007090000-0x000000000719A000-memory.dmp

Filesize
1.0MB

Download
memory/101772-138-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/101772-133-0x0000000000430000-0x0000000000458000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing