redline | 660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42

Analysis

max time kernel
60s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2022, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe
Size

7.2MB
MD5

971bda1afde3df57ec466d5b345bfd74
SHA1

5d4a8aa30bf13921ba9406917ecc048bdc3a796c
SHA256

660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42
SHA512

b0f50f4268042e44200a413a91439ca06ef2701d99d4e4fd03a0f8a1379342273fd4d9f600ad3d3dce6cd714cbff9fd8feb46b6f39aa6af567b3c88130d10763
SSDEEP

196608:dS6dQmRrdA6lakaqdVTiZQ8OJYlR8eNyDqo:JdQOlawd6Q8OalRZ2r

Score

10^/10

redline 3.0.0.1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

3.0.0.1

195.133.46.152:30098

Attributes

auth_value
b61fcbd1f87b475d1753fe6411f2847a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/4720-151-0x00000000007A0000-0x0000000000B66000-memory.dmp	family_redline
behavioral2/memory/4720-164-0x00000000007A0000-0x0000000000B66000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
5020	Dot.exe
112	pdn.sfx.exe
4720	pdn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Dot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	pdn.sfx.exe

Loads dropped DLL 2 IoCs

pid	Process
4136	660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe
4136	660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4720	pdn.exe
4720	pdn.exe
4720	pdn.exe
4720	pdn.exe
4720	pdn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	pdn.exe
4720	pdn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	pdn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4720	pdn.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 4136	4044	660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe	80
PID 4044 wrote to memory of 4136	4044	660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe	80
PID 4136 wrote to memory of 644	4136	660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe	81
PID 4136 wrote to memory of 644	4136	660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe	81
PID 644 wrote to memory of 5020	644	cmd.exe	83
PID 644 wrote to memory of 5020	644	cmd.exe	83
PID 644 wrote to memory of 5020	644	cmd.exe	83
PID 5020 wrote to memory of 1736	5020	Dot.exe	84
PID 5020 wrote to memory of 1736	5020	Dot.exe	84
PID 5020 wrote to memory of 1736	5020	Dot.exe	84
PID 1736 wrote to memory of 112	1736	cmd.exe	87
PID 1736 wrote to memory of 112	1736	cmd.exe	87
PID 1736 wrote to memory of 112	1736	cmd.exe	87
PID 112 wrote to memory of 4720	112	pdn.sfx.exe	88
PID 112 wrote to memory of 4720	112	pdn.sfx.exe	88
PID 112 wrote to memory of 4720	112	pdn.sfx.exe	88

C:\Users\Admin\AppData\Local\Temp\660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe
"C:\Users\Admin\AppData\Local\Temp\660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe
  "C:\Users\Admin\AppData\Local\Temp\660a631fc6a14789fcf20cd1dc09e91b8e4255e8ddf95fe2471440808dc27c42.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_MEI40442\Dot.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Users\Admin\AppData\Local\Temp\_MEI40442\Dot.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI40442\Dot.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\dot.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\pdn.sfx.exe
        
        pdn.sfx.exe -p0xqzq29910292999x90apwz29
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\pdn.exe
        
        "C:\pdn.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI40442\Dot.exe

Filesize
1.7MB

MD5
a96234ea3a825bdd28908c0a1431d055

SHA1
013840b8f49d644c52c4a602d2aa8c50569a5144

SHA256
1359202dc8ee6882354ee4b933600852bd6f5cfb7d0e18e9c968eea30e458283

SHA512
1c63a520f88f005479b885a9280854299a4d2995016d0e4071eb20cfbe68677e702221a81d11b3b4811056be63146d59cefcfac5103c92d93e77f6990f6e73b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\Dot.exe

Filesize
1.7MB

MD5
a96234ea3a825bdd28908c0a1431d055

SHA1
013840b8f49d644c52c4a602d2aa8c50569a5144

SHA256
1359202dc8ee6882354ee4b933600852bd6f5cfb7d0e18e9c968eea30e458283

SHA512
1c63a520f88f005479b885a9280854299a4d2995016d0e4071eb20cfbe68677e702221a81d11b3b4811056be63146d59cefcfac5103c92d93e77f6990f6e73b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\base_library.zip

Filesize
1.0MB

MD5
403cd6911e0c9a6cde0dfd46d4ae22a9

SHA1
de51ea06bef6a163d29fab56fe8a8da267ec8272

SHA256
116e6df9b7b76be9c03e803fe5bb99eb200a9e240586713ea3b51b52af0d20f9

SHA512
9b17c720120e841ce2ee52b289f7070ccc6a0d3b03698eba9c416a1c30285c6a3a2fa262a0e01c6acd8600359dd348602d63c6af4c3eb3a3c173902fe5c1f6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40442\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\dot.bat

Filesize
61B

MD5
890658ac8fb42fa017e320128fd3e161

SHA1
f9a3c3201ef421762e4dc82217e1ad8d0619cb1b

SHA256
c25ef09a8bc6befe1bb447903f9bc937516a1e4e2151943d55bc06cd7057be1e

SHA512
777748547a830b71cedef9fa6b5741460d7208a2b893e10846cb25b67b1b5d7d732fae94ec5a7451e82ee66df462912ed48a306404acd7b6b88012c91bfad7ff

Download Submit
C:\pdn.exe

Filesize
1.2MB

MD5
e1d3c55164e69f8c080d6a7896414a5e

SHA1
208451514760f65a3aff4b8150088d7d20a9347d

SHA256
4dcdda30df51eb308b0c7b2e8b3d98a5335afc09fb6f46eb4ef4fc4a1038ec4c

SHA512
a8cb8f2b8ce28868d255adf08661e0a63d7592db24456759e0b7e8829347e102abc603de2895105eebfe3f2bf6348454eaddc0e2479537529d3c6cdb34623001

Download Submit
C:\pdn.exe

Filesize
1.2MB

MD5
e1d3c55164e69f8c080d6a7896414a5e

SHA1
208451514760f65a3aff4b8150088d7d20a9347d

SHA256
4dcdda30df51eb308b0c7b2e8b3d98a5335afc09fb6f46eb4ef4fc4a1038ec4c

SHA512
a8cb8f2b8ce28868d255adf08661e0a63d7592db24456759e0b7e8829347e102abc603de2895105eebfe3f2bf6348454eaddc0e2479537529d3c6cdb34623001

Download Submit
C:\pdn.sfx.exe

Filesize
1.5MB

MD5
fce957004250d44e208a10ed7d2b391b

SHA1
146a64e38d13bbf358867b8338d509387be6e574

SHA256
f067d579876a889a404ceaf7a1b4d4a0580c98a7ab54541cb7ee3fec35c7c594

SHA512
22a5cf0c97fe296aba27c94eab80df2cecb76061b945f935bce6afa9969d56ab39206f901baf4946f187cb173733385524dfb90b9683587217e01f55966b3b7b

Download Submit
C:\pdn.sfx.exe

Filesize
1.5MB

MD5
fce957004250d44e208a10ed7d2b391b

SHA1
146a64e38d13bbf358867b8338d509387be6e574

SHA256
f067d579876a889a404ceaf7a1b4d4a0580c98a7ab54541cb7ee3fec35c7c594

SHA512
22a5cf0c97fe296aba27c94eab80df2cecb76061b945f935bce6afa9969d56ab39206f901baf4946f187cb173733385524dfb90b9683587217e01f55966b3b7b

Download Submit
memory/4720-153-0x00000000007A0000-0x0000000000B66000-memory.dmp

Filesize
3.8MB

Download
memory/4720-161-0x000000000D070000-0x000000000D59C000-memory.dmp

Filesize
5.2MB

Download
memory/4720-150-0x00000000007A0000-0x0000000000B66000-memory.dmp

Filesize
3.8MB

Download
memory/4720-151-0x00000000007A0000-0x0000000000B66000-memory.dmp

Filesize
3.8MB

Download
memory/4720-152-0x000000000B7F0000-0x000000000BE08000-memory.dmp

Filesize
6.1MB

Download
memory/4720-164-0x00000000007A0000-0x0000000000B66000-memory.dmp

Filesize
3.8MB

Download
memory/4720-154-0x000000000B320000-0x000000000B42A000-memory.dmp

Filesize
1.0MB

Download
memory/4720-155-0x000000000B240000-0x000000000B252000-memory.dmp

Filesize
72KB

Download
memory/4720-156-0x000000000B2A0000-0x000000000B2DC000-memory.dmp

Filesize
240KB

Download
memory/4720-157-0x000000000C3C0000-0x000000000C964000-memory.dmp

Filesize
5.6MB

Download
memory/4720-158-0x000000000B700000-0x000000000B792000-memory.dmp

Filesize
584KB

Download
memory/4720-159-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/4720-160-0x000000000C970000-0x000000000CB32000-memory.dmp

Filesize
1.8MB

Download
memory/4720-162-0x000000000CFD0000-0x000000000D046000-memory.dmp

Filesize
472KB

Download
memory/4720-163-0x000000000C370000-0x000000000C3C0000-memory.dmp

Filesize
320KB

Download