redline | 15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd

General

Target

b89982510003a83b72e023cefc4edd8e.exe
Size

1.9MB
MD5

b89982510003a83b72e023cefc4edd8e
SHA1

b97b061a10191eb3ce6382b6ce55b5bc0b3108fc
SHA256

15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd
SHA512

71fd21d18931d3bc5c3f0bc395df644d77af65a2ffbb83e9b23eaae42322710e62a6a658938d763b1547077433f06a99d6fcfed18787545ccaa8c2de21dc11e5
SSDEEP

49152:V5Ov3R+uH6r5eKowZO1Oz3tLcmkDLLEYzdGPET:V5Gh+iOz3tLwnRGi

Score

10^/10

redline logsdiller cloud (telegram: @logsdillabot)socicalbot infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

C2

51.210.137.6:47909

Attributes

auth_value
c2955ed3813a798683a185a82e949f88

Extracted

Family

redline

Botnet

socicalbot

C2

149.28.205.74:2470

Attributes

auth_value
9c51f0d7102febd61d441fffb9c4bb47

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

7 4268 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

tel.exefcc.exejjj.exe

pid process

4600 tel.exe
4400 fcc.exe
2228 jjj.exe

flow	pid	process
7	4268	WScript.exe

pid	process
4600	tel.exe
4400	fcc.exe
2228	jjj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b89982510003a83b72e023cefc4edd8e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b89982510003a83b72e023cefc4edd8e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 2 IoCs

Processes:

tel.exejjj.exe

description pid process target process

PID 4600 set thread context of 3968 4600 tel.exe vbc.exe
PID 2228 set thread context of 3336 2228 jjj.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

812 4600 WerFault.exe tel.exe
4448 2228 WerFault.exe jjj.exe

description	pid	process	target process
PID 4600 set thread context of 3968	4600	tel.exe	vbc.exe
PID 2228 set thread context of 3336	2228	jjj.exe	vbc.exe

pid	pid_target	process	target process
812	4600	WerFault.exe	tel.exe
4448	2228	WerFault.exe	jjj.exe

Modifies registry class 1 IoCs

Processes:

b89982510003a83b72e023cefc4edd8e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	b89982510003a83b72e023cefc4edd8e.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exevbc.exe

pid process

3968 vbc.exe
3968 vbc.exe
3336 vbc.exe
3336 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 3968 vbc.exe
Token: SeDebugPrivilege 3336 vbc.exe

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3968	vbc.exe
3968	vbc.exe
3336	vbc.exe
3336	vbc.exe

description	pid	process
Token: SeDebugPrivilege	3968	vbc.exe
Token: SeDebugPrivilege	3336	vbc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

b89982510003a83b72e023cefc4edd8e.exefcc.exetel.exejjj.exe

description	pid	process	target process
PID 1612 wrote to memory of 4268	1612	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 1612 wrote to memory of 4268	1612	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 1612 wrote to memory of 4268	1612	b89982510003a83b72e023cefc4edd8e.exe	WScript.exe
PID 1612 wrote to memory of 4600	1612	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 1612 wrote to memory of 4600	1612	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 1612 wrote to memory of 4600	1612	b89982510003a83b72e023cefc4edd8e.exe	tel.exe
PID 1612 wrote to memory of 4400	1612	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 1612 wrote to memory of 4400	1612	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 1612 wrote to memory of 4400	1612	b89982510003a83b72e023cefc4edd8e.exe	fcc.exe
PID 1612 wrote to memory of 2228	1612	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 1612 wrote to memory of 2228	1612	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 1612 wrote to memory of 2228	1612	b89982510003a83b72e023cefc4edd8e.exe	jjj.exe
PID 4400 wrote to memory of 1588	4400	fcc.exe	cmd.exe
PID 4400 wrote to memory of 1588	4400	fcc.exe	cmd.exe
PID 4400 wrote to memory of 1588	4400	fcc.exe	cmd.exe
PID 4600 wrote to memory of 3968	4600	tel.exe	vbc.exe
PID 4600 wrote to memory of 3968	4600	tel.exe	vbc.exe
PID 4600 wrote to memory of 3968	4600	tel.exe	vbc.exe
PID 4600 wrote to memory of 3968	4600	tel.exe	vbc.exe
PID 4600 wrote to memory of 3968	4600	tel.exe	vbc.exe
PID 2228 wrote to memory of 3336	2228	jjj.exe	vbc.exe
PID 2228 wrote to memory of 3336	2228	jjj.exe	vbc.exe
PID 2228 wrote to memory of 3336	2228	jjj.exe	vbc.exe
PID 2228 wrote to memory of 3336	2228	jjj.exe	vbc.exe
PID 2228 wrote to memory of 3336	2228	jjj.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe
"C:\Users\Admin\AppData\Local\Temp\b89982510003a83b72e023cefc4edd8e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
2⤵
- Blocklisted process makes network request
PID:4268

C:\Windows\Temp\tel.exe
"C:\Windows\Temp\tel.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 252
3⤵
- Program crash
PID:812

C:\Windows\Temp\fcc.exe
"C:\Windows\Temp\fcc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
3⤵
PID:1588

C:\Windows\Temp\jjj.exe
"C:\Windows\Temp\jjj.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 244
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4600 -ip 4600
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2228 -ip 2228
1⤵
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
Filesize
2KB

MD5
c89455577734b863a447e44a57dd60ea

SHA1
82530ad7e337b4c866beb8e9f1d0e2e0011ed8bc

SHA256
bfa39bf8f525794b4bd761834f5e475752a899f7d707932ec4561d656dcbdd70

SHA512
bdc2adacc8c447129bd5ad9d4e3cd965ad7e1fd1d7ed6d1e4d92159761c6e1e83a5b30226002dedbacfcd0ccca48d49a1be895c6b2ce73dadf0d89118be72de2

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
07e1e48d3df9b78f2fc2db6cf3f81a55

SHA1
8e998dec6ad9c779e5eeebb5cf40f2f436dfc26f

SHA256
9b6bea54b95a14045f6b527675a9456fd4d8d22dcd22e0d1eedac440fe8b02fb

SHA512
001a1de66dbec029dc2422ff93e0ba6b882ba54f3316b4e4a912052d6d054e77142432f8550281c3edec98b07a6c12c5d0659ed1f1af143c2b9edcd6a2a18b9b

Download Submit
C:\Windows\Temp\fcc.exe
Filesize
2.5MB

MD5
4075e44d856c8340053b221f6077281b

SHA1
fd1adf1a8dd0cc3e6f5185668e85015f7bd449ac

SHA256
2101eaf3e97324925e22a012d91325dce329c18563a91919dd8a699d03b28d6b

SHA512
d1fdaa55250b0b7fe589419b7068c7c38a6af8a96100844e081cbc619801e5a33c30f1ca3cbe51312776e6613d92fab7ddf40661a6e611459666b56698337286

Download Submit
C:\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
C:\Windows\Temp\jjj.exe
Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
C:\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
C:\Windows\Temp\tel.exe
Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
memory/1588-142-0x0000000000000000-mapping.dmp

Download
memory/2228-139-0x0000000000000000-mapping.dmp

Download
memory/3336-154-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3336-153-0x0000000000000000-mapping.dmp

Download
memory/3968-162-0x0000000006EE0000-0x0000000006F56000-memory.dmp

Filesize
472KB

Download
memory/3968-143-0x0000000000000000-mapping.dmp

Download
memory/3968-149-0x0000000005CE0000-0x00000000062F8000-memory.dmp

Filesize
6.1MB

Download
memory/3968-150-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/3968-159-0x0000000005B10000-0x0000000005BA2000-memory.dmp

Filesize
584KB

Download
memory/3968-152-0x00000000057D0000-0x000000000580C000-memory.dmp

Filesize
240KB

Download
memory/3968-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3968-165-0x0000000007880000-0x0000000007DAC000-memory.dmp

Filesize
5.2MB

Download
memory/3968-151-0x0000000005770000-0x0000000005782000-memory.dmp

Filesize
72KB

Download
memory/3968-160-0x00000000068B0000-0x0000000006E54000-memory.dmp

Filesize
5.6MB

Download
memory/3968-161-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/3968-164-0x0000000007180000-0x0000000007342000-memory.dmp

Filesize
1.8MB

Download
memory/3968-163-0x0000000006F60000-0x0000000006FB0000-memory.dmp

Filesize
320KB

Download
memory/4268-132-0x0000000000000000-mapping.dmp

Download
memory/4400-136-0x0000000000000000-mapping.dmp

Download
memory/4600-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads