redline | 91fde83c85a83a2ce242a1ebb819fd0eddc7291562d3cc756d64b6fd0a386b94

General

Target

file.exe
Size

330KB
MD5

cceeb294bd5e7b01e40f94616ae20df4
SHA1

6850d9bfbcc00b9cae98f197350905e3c2eca4e8
SHA256

91fde83c85a83a2ce242a1ebb819fd0eddc7291562d3cc756d64b6fd0a386b94
SHA512

121d63205c67b1bb7df41dc27169930a3f8acff7e16b1cdb39082e9d92c669348fc962b0b3d09e661c7e39f39c4a18a45db11918879f3e278d57d5774b0e4d10
SSDEEP

6144:PZY9aCa+KPVlA86o/29e3ohFFhmbcv3I+Q6rG5L/V:e9FKh6ou9wobm4v3I+Qn

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)infostealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

135.125.27.235:22883

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

s.exec.exewatchdog.exe

pid process

316 s.exe
4472 c.exe
4800 watchdog.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exes.exe

description pid process target process

PID 4868 set thread context of 3592 4868 file.exe RegSvcs.exe
PID 316 set thread context of 3576 316 s.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4068 316 WerFault.exe s.exe

pid	process
316	s.exe
4472	c.exe
4800	watchdog.exe

description	pid	process	target process
PID 4868 set thread context of 3592	4868	file.exe	RegSvcs.exe
PID 316 set thread context of 3576	316	s.exe	vbc.exe

pid	pid_target	process	target process
4068	316	WerFault.exe	s.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

file.exeRegSvcs.exes.exe

description	pid	process	target process
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 4868 wrote to memory of 3592	4868	file.exe	RegSvcs.exe
PID 3592 wrote to memory of 316	3592	RegSvcs.exe	s.exe
PID 3592 wrote to memory of 316	3592	RegSvcs.exe	s.exe
PID 3592 wrote to memory of 316	3592	RegSvcs.exe	s.exe
PID 316 wrote to memory of 3576	316	s.exe	vbc.exe
PID 316 wrote to memory of 3576	316	s.exe	vbc.exe
PID 316 wrote to memory of 3576	316	s.exe	vbc.exe
PID 316 wrote to memory of 3576	316	s.exe	vbc.exe
PID 316 wrote to memory of 3576	316	s.exe	vbc.exe
PID 3592 wrote to memory of 4472	3592	RegSvcs.exe	c.exe
PID 3592 wrote to memory of 4472	3592	RegSvcs.exe	c.exe
PID 3592 wrote to memory of 4472	3592	RegSvcs.exe	c.exe
PID 3592 wrote to memory of 4800	3592	RegSvcs.exe	watchdog.exe
PID 3592 wrote to memory of 4800	3592	RegSvcs.exe	watchdog.exe
PID 3592 wrote to memory of 4800	3592	RegSvcs.exe	watchdog.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 432
4⤵
- Program crash
PID:4068

C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
3⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\watchdog.exe
"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
3⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 316 -ip 316
1⤵
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.exe
Filesize
2.9MB

MD5
dfe93d0badc5903468c45eb9bec610ac

SHA1
03e0670c4c28256972e4413be8e2123fc85d12f3

SHA256
36df4f3329d578af2447816e17eaace71c54f287b649e9e2b18bc81878eb9bb1

SHA512
6be310a381d47116b31362a8acf0702a546e5fc9bcc3eb59f16866758a18ba258789cd3f3db7065fe291f068791493198cb14c58c55aa1b769efaaba1ec3a840

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe
Filesize
2.9MB

MD5
dfe93d0badc5903468c45eb9bec610ac

SHA1
03e0670c4c28256972e4413be8e2123fc85d12f3

SHA256
36df4f3329d578af2447816e17eaace71c54f287b649e9e2b18bc81878eb9bb1

SHA512
6be310a381d47116b31362a8acf0702a546e5fc9bcc3eb59f16866758a18ba258789cd3f3db7065fe291f068791493198cb14c58c55aa1b769efaaba1ec3a840

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.exe
Filesize
512KB

MD5
f8406736cb304f12b915197ac4557c46

SHA1
eeb1cc9e74eac645a269a9fa8cb55d48d5571bd5

SHA256
53cf8b6c232faba4c05e361a278db4387eac994c16b24393b5b7e9f56806d59b

SHA512
c3ed779e41feb7f6cec3fe1cc845e0f01fb39b1cbc5fd09d0b04cf2ecaf0216b85af3a41ba674c6c7e39b37eb089e44d4f65b3b23bafb59de2b506c60c2ec748

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.exe
Filesize
512KB

MD5
f8406736cb304f12b915197ac4557c46

SHA1
eeb1cc9e74eac645a269a9fa8cb55d48d5571bd5

SHA256
53cf8b6c232faba4c05e361a278db4387eac994c16b24393b5b7e9f56806d59b

SHA512
c3ed779e41feb7f6cec3fe1cc845e0f01fb39b1cbc5fd09d0b04cf2ecaf0216b85af3a41ba674c6c7e39b37eb089e44d4f65b3b23bafb59de2b506c60c2ec748

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.exe
Filesize
350KB

MD5
b7a412ffde040190557f7373f0e86304

SHA1
537d6c582ae306c53a1322cba301c9add2043030

SHA256
a6785854cbd1234e79019fb49d07e0572c6897ebe1a341b8c3c83f690fbe812c

SHA512
c98179dc9e1832b9d11eabde682f33afefc8dd9762b978186ad33df25d1a9bc3b86ddbdd097aaa4ede7d6d35c7abc25524dd8119e4fba44cf8c1dd4fff481c29

Download Submit
memory/316-137-0x0000000000000000-mapping.dmp

Download
memory/3576-151-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/3576-152-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/3576-140-0x0000000000000000-mapping.dmp

Download
memory/3576-141-0x0000000000390000-0x00000000003C2000-memory.dmp

Filesize
200KB

Download
memory/3576-150-0x0000000004FF0000-0x00000000050FA000-memory.dmp

Filesize
1.0MB

Download
memory/3576-149-0x0000000005470000-0x0000000005A88000-memory.dmp

Filesize
6.1MB

Download
memory/3592-135-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3592-134-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3592-132-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3592-136-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/3592-133-0x000000014000356C-mapping.dmp

Download
memory/3592-155-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/4472-146-0x0000000000000000-mapping.dmp

Download
memory/4800-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing