redline | d85391521bd9c46bc3a0ecae974f9f985cc0f5bdecf62103409a8d55fbd4ebd8

Analysis

max time kernel
104s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r.exe
Size

726.0MB
MD5

925d0a37d33fdbac9033db87536eb11e
SHA1

e76d4838dd6db6bdf50664652f3cca9bfed6e7a8
SHA256

5177282965eb65aa04252de17b99d0533d82cdddead523238e893dd0d5d1dd54
SHA512

2c2c2c07e0746a5d8c691bd67f28a0077457127ebfb2a43857ab04c445af909d765dbc9eb8f218d7bc9b301ce60243d70352e8a639c86e9d2bf23bd7452de5a8
SSDEEP

49152:J2Ed3BvKmu/5f5tZnmTzXGVpTNkt5jgRqaq8STli:J2G3BSD//tpcCVDsCyTA

Score

10^/10

redline 767 infostealer spyware upx

Malware Config

Extracted

Family

redline

Botnet

767

88.218.171.110:39314

Attributes

auth_value
15af7981abaac4894e19d6f7633cdd20

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
4268	Engine.exe
4220	Michigan.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f48-133.dat	upx
behavioral2/files/0x0006000000022f48-134.dat	upx
behavioral2/memory/4268-135-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/4268-153-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/4268-164-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4220 set thread context of 3244	4220	Michigan.exe.pif	102

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{39ADDE0C-9734-4B09-BCC4-AC3E173DA64A}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2891029575-1462575-1165213807-1000\{9FFFF727-07AC-4AD9-B2BA-A54E24C95D86}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3848	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif
3244	jsc.exe
3244	jsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3244	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4220	Michigan.exe.pif
4220	Michigan.exe.pif
4220	Michigan.exe.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	OpenWith.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4268	1652	r.exe	79
PID 1652 wrote to memory of 4268	1652	r.exe	79
PID 1652 wrote to memory of 4268	1652	r.exe	79
PID 4268 wrote to memory of 4860	4268	Engine.exe	80
PID 4268 wrote to memory of 4860	4268	Engine.exe	80
PID 4268 wrote to memory of 4860	4268	Engine.exe	80
PID 4860 wrote to memory of 4584	4860	CmD.exe	82
PID 4860 wrote to memory of 4584	4860	CmD.exe	82
PID 4860 wrote to memory of 4584	4860	CmD.exe	82
PID 4584 wrote to memory of 2220	4584	cmd.exe	87
PID 4584 wrote to memory of 2220	4584	cmd.exe	87
PID 4584 wrote to memory of 2220	4584	cmd.exe	87
PID 4584 wrote to memory of 1588	4584	cmd.exe	88
PID 4584 wrote to memory of 1588	4584	cmd.exe	88
PID 4584 wrote to memory of 1588	4584	cmd.exe	88
PID 4584 wrote to memory of 2360	4584	cmd.exe	91
PID 4584 wrote to memory of 2360	4584	cmd.exe	91
PID 4584 wrote to memory of 2360	4584	cmd.exe	91
PID 4584 wrote to memory of 3232	4584	cmd.exe	92
PID 4584 wrote to memory of 3232	4584	cmd.exe	92
PID 4584 wrote to memory of 3232	4584	cmd.exe	92
PID 4584 wrote to memory of 4220	4584	cmd.exe	93
PID 4584 wrote to memory of 4220	4584	cmd.exe	93
PID 4584 wrote to memory of 4220	4584	cmd.exe	93
PID 4584 wrote to memory of 3848	4584	cmd.exe	94
PID 4584 wrote to memory of 3848	4584	cmd.exe	94
PID 4584 wrote to memory of 3848	4584	cmd.exe	94
PID 4220 wrote to memory of 3244	4220	Michigan.exe.pif	102
PID 4220 wrote to memory of 3244	4220	Michigan.exe.pif	102
PID 4220 wrote to memory of 3244	4220	Michigan.exe.pif	102
PID 4220 wrote to memory of 3244	4220	Michigan.exe.pif	102
PID 4220 wrote to memory of 3244	4220	Michigan.exe.pif	102

C:\Users\Admin\AppData\Local\Temp\r.exe
"C:\Users\Admin\AppData\Local\Temp\r.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\SETUP_42252\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_42252\Engine.exe /TH_ID=_4520 /OriginExe="C:\Users\Admin\AppData\Local\Temp\r.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\CmD.exe
    C:\Windows\system32\CmD.exe /c cmd < 3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil -decode 38 38sDaAR
        5⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^PRkVeVsTyHnRICGsGmOyGtKOipEtRzIGlbmjphFjAeMEUgvqocjkAJLKuvOTsheMZRHkezoaTCEEauUSMDVcuvuAMOuNmMVjqqFe$" 38sDaAR
        5⤵
        
        PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\5ujzq1am.y4e\16872\Michigan.exe.pif
        
        16872\\Michigan.exe.pif 16872\\x
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:3848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
22a3644880f9f3fa5ad86f83c12b4eab

SHA1
46841876cc3eee9b81eaa17927130324d2358898

SHA256
78dfede081aa2aa0d16c6104ad518c42e8047cbbc75ed2cfeee9a6f2389c66e1

SHA512
c4e1dbd867fcb97029b2088be1c11cfb5fc75d8a649f4accc97ad703fac5537d7d61d6514e5e052aa473d23bff912eaee1b34acd907e2c204f7cb6cef3619324

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ujzq1am.y4e\16872\Michigan.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ujzq1am.y4e\38sDaAR

Filesize
872KB

MD5
4160319be6c983b6e1809f95f9b5195b

SHA1
cab2c940bdd109cbc3552776c3a751ab9fbe1ec5

SHA256
1a377096c0e431a9b7506af780dca00b348f647eb000f31d919095c676cf4d7c

SHA512
01e1746f8f9479b4c4d47eaccba9669adaea5212cdc2975774769002a28bdcb4dd18607879c804d0f3fddf25fe210e96107711b2d5eb638e8ad68f6c331b14b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\00000#20

Filesize
1.0MB

MD5
b048e735d185f6260169a73b1ba631f4

SHA1
ec7773090f3c286c9ed3d772b6e6837ac0a977b1

SHA256
0fa2825d8008a94bda893ee9ddd625677d9a22d780889a4a829e11f5f6ea807e

SHA512
379a518a8f059056dc4eee421903394ad69231e934f614f347becae75a0b75e853f09d6e612478fce7d56a44af3ad490fb9ccf9d94501aa9ae02a3d51dd08709

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\00001#3

Filesize
13KB

MD5
d648cff5f60e78af8c8edb7b9f42eef4

SHA1
8866de9f6da917c649799b120e29cb0b58ce7135

SHA256
9355727414a677b38c2a86d6d072539d7bf09ecd5fb3e5e94f73907b95088b84

SHA512
df35246cee546084ac9e86e58ec6229a6f945dd6f65fb9a43c1b0072a3c76b7d8c5fe36ee8f45f44a87ec1ce02632694a2d74b1d68feca0d514be4fd25d14447

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\00002#38

Filesize
1.2MB

MD5
ea1dbdf91573d6ef4e1a8cb4cba74426

SHA1
39dbb4b5d77d46d5735a2c21139fa967e1f1ba49

SHA256
1ff0b0af219045a8b695bb372e13d1f763c0e919972bc375d9cad1799f5150d1

SHA512
514c49a1bf5a29fc9fb5f0eafcea52ebaf61fef7eb576df799a84cc7fc24b6fbb9b131eff37f936fe97cee9572760fac503637ecdd88fce31417680abd1db9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\Engine.exe

Filesize
392KB

MD5
50e4b374719400049ef36d2f02dce6a2

SHA1
ed7e29079e42963d7f3418b7c50ae4a747d47064

SHA256
49d492ba33edc5e4da6c24159d44d8c164f5db9504f10efdfeb5e1dc5c660010

SHA512
545b38d0cac594d74ad390dee632ec603a0c78a1887933e59fab469a1e77e83643b6bbc932decc41d439aa82ec761d3f5160b3cde0c974567a492e3ee127c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\Engine.exe

Filesize
392KB

MD5
50e4b374719400049ef36d2f02dce6a2

SHA1
ed7e29079e42963d7f3418b7c50ae4a747d47064

SHA256
49d492ba33edc5e4da6c24159d44d8c164f5db9504f10efdfeb5e1dc5c660010

SHA512
545b38d0cac594d74ad390dee632ec603a0c78a1887933e59fab469a1e77e83643b6bbc932decc41d439aa82ec761d3f5160b3cde0c974567a492e3ee127c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_42252\Setup.txt

Filesize
2KB

MD5
adebd1344bfe2a7c7ad77a5442e06448

SHA1
9651dfd8178c4ab2dd41ca61b75fdcbde0b25cbe

SHA256
0e8b7bb6535bac5601bcc79edb89be9a6cd24e492182174ee6279c85e9c56efc

SHA512
c95364ef11e6fdf37114715370ed116522649da07d99ff86e3aac5d66d173e1c916f4ee46df0f6b49b31f92062bbbdd94d7e4ca7a271b4f10627a6f030c99472

Download Submit
memory/2220-154-0x0000000007D30000-0x00000000082D4000-memory.dmp

Filesize
5.6MB

Download
memory/2220-146-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/2220-147-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/2220-148-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/2220-149-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/2220-150-0x00000000076E0000-0x0000000007776000-memory.dmp

Filesize
600KB

Download
memory/2220-151-0x0000000006C40000-0x0000000006C5A000-memory.dmp

Filesize
104KB

Download
memory/2220-152-0x0000000006C90000-0x0000000006CB2000-memory.dmp

Filesize
136KB

Download
memory/2220-145-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/2220-144-0x00000000051E0000-0x0000000005216000-memory.dmp

Filesize
216KB

Download
memory/3244-170-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/3244-171-0x0000000005590000-0x00000000055CC000-memory.dmp

Filesize
240KB

Download
memory/3244-166-0x0000000000F30000-0x0000000000F62000-memory.dmp

Filesize
200KB

Download
memory/3244-175-0x0000000007080000-0x00000000070F6000-memory.dmp

Filesize
472KB

Download
memory/3244-174-0x00000000073B0000-0x00000000078DC000-memory.dmp

Filesize
5.2MB

Download
memory/3244-173-0x0000000006CB0000-0x0000000006E72000-memory.dmp

Filesize
1.8MB

Download
memory/3244-172-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/3244-168-0x0000000005B30000-0x0000000006148000-memory.dmp

Filesize
6.1MB

Download
memory/3244-176-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download
memory/3244-169-0x0000000005620000-0x000000000572A000-memory.dmp

Filesize
1.0MB

Download
memory/4268-153-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4268-164-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4268-135-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download