redline | 5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c

Analysis

max time kernel
108s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2023, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

12.5MB
MD5

d7ac9f5311f60a1e99d3547d66f19a4d
SHA1

17a4692a0afbad5be0e94d13d0a7ba5526d1b522
SHA256

5dfc270f4ab0582f5718784c455623755d8fb7a22a2e8db4d98be5ecb913352c
SHA512

c9af04f1324534ff842211f7b4cfa6abb49a8d987fd070a50918c7469b2d4d9d40992c972e51970c6245af12b43f107cdf0dd3f44e87b197d675a5f9ec86da7b
SSDEEP

393216:3xsX4B8eD3F+oI9KtC9N5cfZLxsaZf4nT7P4tU:3GI9FQ3OfZLSPP4q

Score

10^/10

redline infostealer spyware upx

Malware Config

Extracted

Family

redline

195.20.17.174:80

Attributes

auth_value
cf75908d75b4508135a38c8679c86f6e

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/2276-143-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2760	animecool.exe
4164	poxuipluspoxui.exe
2276	nig1r21312312.exe
4352	ConsoleApplication1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2276-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0006000000022e04-141.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	setup.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 3888	2760	animecool.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3108	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3888	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2760	2076	setup.exe	88
PID 2076 wrote to memory of 2760	2076	setup.exe	88
PID 2076 wrote to memory of 2760	2076	setup.exe	88
PID 2076 wrote to memory of 4164	2076	setup.exe	91
PID 2076 wrote to memory of 4164	2076	setup.exe	91
PID 2076 wrote to memory of 4164	2076	setup.exe	91
PID 2076 wrote to memory of 4184	2076	setup.exe	93
PID 2076 wrote to memory of 4184	2076	setup.exe	93
PID 2076 wrote to memory of 4184	2076	setup.exe	93
PID 4184 wrote to memory of 2276	4184	cmd.exe	96
PID 4184 wrote to memory of 2276	4184	cmd.exe	96
PID 4184 wrote to memory of 2276	4184	cmd.exe	96
PID 2276 wrote to memory of 2632	2276	nig1r21312312.exe	97
PID 2276 wrote to memory of 2632	2276	nig1r21312312.exe	97
PID 2276 wrote to memory of 2632	2276	nig1r21312312.exe	97
PID 2632 wrote to memory of 3108	2632	cmd.exe	99
PID 2632 wrote to memory of 3108	2632	cmd.exe	99
PID 2632 wrote to memory of 3108	2632	cmd.exe	99
PID 2760 wrote to memory of 3888	2760	animecool.exe	100
PID 2760 wrote to memory of 3888	2760	animecool.exe	100
PID 2760 wrote to memory of 3888	2760	animecool.exe	100
PID 2760 wrote to memory of 3888	2760	animecool.exe	100
PID 2760 wrote to memory of 3888	2760	animecool.exe	100
PID 2632 wrote to memory of 4352	2632	cmd.exe	101
PID 2632 wrote to memory of 4352	2632	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\animecool.exe
  "C:\Users\Admin\AppData\Local\Temp\animecool.exe" /animecool.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3888
- C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe
  "C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe" /poxuipluspoxui.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat" /govno312321412412.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe
    nig1r21312312.exe exec hide fds333333333333333.bat
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c fds333333333333333.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 60
        5⤵
        Delays execution with timeout.exe
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe
        
        ConsoleApplication1.exe
        5⤵
        Executes dropped EXE
        
        PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe

Filesize
47KB

MD5
a54b7f580b214fe5bcec8a5c69f02b2d

SHA1
d61edbaec7dabab090d2a7b43bd4e5cfb5944712

SHA256
d2b80145ce8486d2083c1ae89a99eeda9a6251957d8d3316666d6aa031a9a6e2

SHA512
3586dc18cad2eb1dc27fe90190c0b76e667a2262b5631d2a269b03988cadc092a8fe917a450da48a551b3f7dd875a1695e8aca324c5649a98ce611eb701597cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1.exe

Filesize
47KB

MD5
a54b7f580b214fe5bcec8a5c69f02b2d

SHA1
d61edbaec7dabab090d2a7b43bd4e5cfb5944712

SHA256
d2b80145ce8486d2083c1ae89a99eeda9a6251957d8d3316666d6aa031a9a6e2

SHA512
3586dc18cad2eb1dc27fe90190c0b76e667a2262b5631d2a269b03988cadc092a8fe917a450da48a551b3f7dd875a1695e8aca324c5649a98ce611eb701597cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
415.7MB

MD5
ad69650fae892d5ee7c797c214341568

SHA1
93c658ba1bfa2f1d69f8bb04154e31480874b679

SHA256
1ea9b2328c7df778adc69a9f90f82d14f47bc5cc9844e67866afa65248e19c5d

SHA512
93e4c2b34ef76beef33f2710729a341da6e11a47d9436c68e82c190a06a135ea8e760011e0d98fd147b1d3a47c66d6eb57e108bc92b78149c5fd8fa6a03e3c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\animecool.exe

Filesize
432.4MB

MD5
cef3e23bc4e21d5167ba206494333280

SHA1
1d936e58bb31f48d931175039b70882a3754f758

SHA256
95615accfb2f5f0125c5c902c85e61ac08cfac99d2bf678c689ac1c5d2adadef

SHA512
63298f43b567efc87782fd6d4f29161d8ae8c6059508b50753d501ca2448a99f7af6b9b696088bbcc8b79b14114c71ef79239c7c1a7aee2ea2198af528a4bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fds333333333333333.bat

Filesize
55B

MD5
78d34993a3f671785ab9ad1097e6620e

SHA1
ff600ffda2d8661cba3f1352b6df9eeff39c3b10

SHA256
988bf35e06ed737cff745ce0b33df976634072586148fba37f8056b294c0404c

SHA512
d3491ca6825c5f0b9ed4d345cc7627a752b04ab5c1f638c9a921c7619e8c08029e4d56bf773012baa232d76964dc41af6d0f54712d5671b3bc9eabc10f710cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\govno312321412412.bat

Filesize
64B

MD5
d930ae56d269e8cbf42a884838a1940f

SHA1
86b54cc38ea58a602a8418c256deac72ef7bda95

SHA256
4cab9b91745224c84bf43bd0702d6754f311f0a0c62669311d05038c3fc06d32

SHA512
db647a3a570981b5171d8b97c32ded9a01ec14dd96b79a483d794fa53c11373324a01e28565f67d27c89edace73435fe875f7462f52c57e207390adaec16ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nig1r21312312.exe

Filesize
429.2MB

MD5
c6f1791d5889267deb9cd7e6527e1aef

SHA1
84e9ef368ae2dcc60a1322caceac1b63399ce6b5

SHA256
c7142e516ce766398e2527670f087cc1dc554d5d760f9c98ecc0d2fc4a312b36

SHA512
47f6edaeb27fc94698ce2e34e86966bd897f76f8e3b6e2ecc188120d79c6ddf006e1ab5bb3783db06ee42049bc5e2d65c1387953a5bd21c62b5a52763c06ce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
441.5MB

MD5
03e8b70bd3afb1eb292a9c48c0131b4d

SHA1
a923ff23c6517836df2a7f4059c36952b6fc75cc

SHA256
5b1768ea985a0f2275c278a656e4d8767b36e2f68557e99e0aa21da3ab39435d

SHA512
c1f9927221e89fb45d6abed85291004681a74c0facbbc251a5755b3deca9ad5d877fd2b4ecb8a0e806b07ab6d8bfa3d994d30a5fbcc29f83228bd37f78e9dd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\poxuipluspoxui.exe

Filesize
403.8MB

MD5
dd0a82fdbcf8196bad92e2bec9f30c25

SHA1
defe7b22bdb8bac40316b30df0d76542eaf424cd

SHA256
ef39e69e7f113c48aae1cf4688a04b9d7adcc4d1ce7e4ae21bacd6879bef70a0

SHA512
8ddaa1bdce2e17be3e5708215db46a33ff9405ad58ae09c1a5f3fba5eae709733e94eb2825975d16a84e65b0a8461545a2b2a40d35855e597b497cb1c982028f

Download Submit
C:\Users\Admin\AppData\Roaming\Binance\app-store.json

Filesize
19KB

MD5
60acceb8ad9017bae4a5fba00f8107fe

SHA1
10bd1ceca8cbf72d860ffb82a861654e2904e323

SHA256
b2744128f8d63a2596a6f29d2c0878a3bad023e523266849a60b3d8ca55f931c

SHA512
aacc7448b3e9925701acb8017a30d8fcef6be9f03e61385a8ab4f143fb197bde60b543ee7e68a269a88cfae52dd6f1fff6e7e0334515ce5c2e8bbd9bfb8dd9e0

Download Submit
C:\Users\Admin\AppData\Roaming\Electrum\wallets\20_btc_wallet

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\AppData\Roaming\Electrum\wallets\default_wallet

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\AppData\Roaming\Exodus\exodus.wallet\ReadME.txt

Filesize
43B

MD5
f06290d0dbadb6e26fb2b78d78b23fcf

SHA1
575299b91e453580caba1c106c09b8de1ef4a83c

SHA256
040fd90aa8e5e9d977dd7c951eb90ab15c70f808dd4cfc3d7ba52aad053711fe

SHA512
302672db96dc09f99198294f9a32057723c3a595712708c7c1c76c3f843a9ea902c1344fde3d03dba7720b7ebffdb84633a7fc959f867d60b43dbb524ae24e20

Download Submit
C:\Users\Admin\AppData\Roaming\atomic\xuesos.txt

Filesize
19KB

MD5
60acceb8ad9017bae4a5fba00f8107fe

SHA1
10bd1ceca8cbf72d860ffb82a861654e2904e323

SHA256
b2744128f8d63a2596a6f29d2c0878a3bad023e523266849a60b3d8ca55f931c

SHA512
aacc7448b3e9925701acb8017a30d8fcef6be9f03e61385a8ab4f143fb197bde60b543ee7e68a269a88cfae52dd6f1fff6e7e0334515ce5c2e8bbd9bfb8dd9e0

Download Submit
C:\Users\Admin\Desktop\seed.docx

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Desktop\seed.pdf

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Desktop\seed.png

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Desktop\seed.txt

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Documents\seed.docx

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Documents\seed.pdf

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Documents\seed.png

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
C:\Users\Admin\Documents\seed.txt

Filesize
476B

MD5
c0a4e06f5a7353ebd6560326e97665af

SHA1
2fc396df8c9241fa3cd7b7cbded130e35f19693f

SHA256
1ef15a24cd68d9ffa6d14bbf9b3bcb83a475cc086943998ee712583805a8f0c6

SHA512
4f4c1a8ddd66be8cb5605534af2c6761ad20bf7645272f4c0c35a0b1d2d06e6b0e777c0aa27ff11131190bccff56217c84c6deefa51bd443fbea31f683758350

Download Submit
memory/2276-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3888-156-0x0000000005C00000-0x0000000005C92000-memory.dmp

Filesize
584KB

Download
memory/3888-155-0x0000000004A20000-0x0000000004A5C000-memory.dmp

Filesize
240KB

Download
memory/3888-154-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/3888-153-0x0000000004AB0000-0x0000000004BBA000-memory.dmp

Filesize
1.0MB

Download
memory/3888-152-0x0000000004FC0000-0x00000000055D8000-memory.dmp

Filesize
6.1MB

Download
memory/3888-147-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/3888-178-0x0000000006200000-0x0000000006250000-memory.dmp

Filesize
320KB

Download
memory/3888-163-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/3888-177-0x0000000006180000-0x00000000061F6000-memory.dmp

Filesize
472KB

Download
memory/3888-160-0x0000000006250000-0x00000000067F4000-memory.dmp

Filesize
5.6MB

Download
memory/4352-161-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/4352-162-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download