redline | 7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e

General

Target

7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe
Size

2.5MB
MD5

923ef6896659d77fff914a9ec8e89fa9
SHA1

4ea7406c2c960f81e4db6e8891d426181692de39
SHA256

7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e
SHA512

95364df4761013aaac4051299566cbb6392cae6136949526f7219660f3461634bda86f469ae0f8d96b209fd0cce83cb4b914998992fca8efa6f8bcd5695db29a
SSDEEP

24576:1RjcXgYLSaH8MlV0/AGQsHE9iWJnVo2FDq6mZC/36Kp/letoreojRqk4vgtYVuQJ:Ljh3E7nVoYDv/3Dpf4qYV

Score

10^/10

redline @p1 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@P1

C2

193.106.191.138:32796

Attributes

auth_value
54c79ce081122137049ee07c0a2f38ab

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-133-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3A904DC4-5846-484A-99FF-508FA33026A0}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B1EAA8E1-798B-40D9-9B4B-CC02B7D257C3}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe

description	pid	process	target process
PID 1544 set thread context of 2668	1544	7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe	vbc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

2668 vbc.exe
2668 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 2668 vbc.exe

pid	process
2668	vbc.exe
2668	vbc.exe

description	pid	process
Token: SeDebugPrivilege	2668	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe

description	pid	process	target process
PID 1544 wrote to memory of 2668	1544	7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe	vbc.exe
PID 1544 wrote to memory of 2668	1544	7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe	vbc.exe
PID 1544 wrote to memory of 2668	1544	7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe	vbc.exe
PID 1544 wrote to memory of 2668	1544	7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe	vbc.exe
PID 1544 wrote to memory of 2668	1544	7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe
"C:\Users\Admin\AppData\Local\Temp\7ba9100db68486d5831e287941add783e9709276cde7e3e40ea219abde10874e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-132-0x0000000000000000-mapping.dmp

Download
memory/2668-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-138-0x0000000005E20000-0x0000000006438000-memory.dmp

Filesize
6.1MB

Download
memory/2668-139-0x00000000077B0000-0x00000000078BA000-memory.dmp

Filesize
1.0MB

Download
memory/2668-140-0x0000000005DF0000-0x0000000005E02000-memory.dmp

Filesize
72KB

Download
memory/2668-141-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/2668-142-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/2668-143-0x0000000008190000-0x0000000008734000-memory.dmp

Filesize
5.6MB

Download
memory/2668-144-0x0000000007960000-0x00000000079F2000-memory.dmp

Filesize
584KB

Download
memory/2668-145-0x0000000007CD0000-0x0000000007E92000-memory.dmp

Filesize
1.8MB

Download
memory/2668-146-0x0000000008C70000-0x000000000919C000-memory.dmp

Filesize
5.2MB

Download
memory/2668-147-0x0000000005920000-0x0000000005996000-memory.dmp

Filesize
472KB

Download
memory/2668-148-0x00000000059A0000-0x00000000059F0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads