redline | d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7

Analysis

max time kernel
144s
max time network
175s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
08-02-2023 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe
Size

519KB
MD5

5be1b03ddf789ab88033ea07c9fef3bb
SHA1

2ce884cf3c65cf4975521bf64ad2022b6eba2f51
SHA256

d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7
SHA512

512c0c648880e2bccb2a25e4e168e2f9ffe731518fd3c93d1a24ee13517a83a0e80f3a9683be92ee2802dfa423800c85b9e7b5bb9f9da20bb07a42822847c698
SSDEEP

12288:VMrFy90nJPPR1hj43dRJKVu1S45CLmYRj:YyIhLj4NioUmq

Score

10^/10

redline new1 roma discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

roma

193.233.20.7:4131

Attributes

auth_value
f099c2cf92834dbc554a94e1456cf576

Extracted

Family

redline

Botnet

new1

176.113.115.16:4132

Attributes

auth_value
ac44cbde6633acc9d67419c7278d5c70

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4420-223-0x0000000004A50000-0x0000000004A96000-memory.dmp	family_redline
behavioral2/memory/4420-229-0x0000000004AE0000-0x0000000004B24000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

bBif.exenewcr.exe

pid process

4420 bBif.exe
2152 newcr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4420	bBif.exe
2152	newcr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

newcr.exe

description pid process target process

PID 2152 set thread context of 4504 2152 newcr.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bBif.exeAppLaunch.exe

pid process

4420 bBif.exe
4420 bBif.exe
4504 AppLaunch.exe
4504 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bBif.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 4420 bBif.exe
Token: SeDebugPrivilege 4504 AppLaunch.exe

description	pid	process	target process
PID 2152 set thread context of 4504	2152	newcr.exe	AppLaunch.exe

pid	process
4420	bBif.exe
4420	bBif.exe
4504	AppLaunch.exe
4504	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4420	bBif.exe
Token: SeDebugPrivilege	4504	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exenewcr.exe

description	pid	process	target process
PID 3492 wrote to memory of 4420	3492	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe	bBif.exe
PID 3492 wrote to memory of 4420	3492	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe	bBif.exe
PID 3492 wrote to memory of 4420	3492	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe	bBif.exe
PID 3492 wrote to memory of 2152	3492	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe	newcr.exe
PID 3492 wrote to memory of 2152	3492	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe	newcr.exe
PID 3492 wrote to memory of 2152	3492	d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe	newcr.exe
PID 2152 wrote to memory of 4504	2152	newcr.exe	AppLaunch.exe
PID 2152 wrote to memory of 4504	2152	newcr.exe	AppLaunch.exe
PID 2152 wrote to memory of 4504	2152	newcr.exe	AppLaunch.exe
PID 2152 wrote to memory of 4504	2152	newcr.exe	AppLaunch.exe
PID 2152 wrote to memory of 4504	2152	newcr.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe
"C:\Users\Admin\AppData\Local\Temp\d6287ca7441d25c0efece59d37b2a0e9155291acf8716bddab054cc2375d1df7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exe
Filesize
305KB

MD5
08f88a52e090ec6ca798b55e316da786

SHA1
268822839ee5e27ed06b6d441362de20ae3deef6

SHA256
951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c

SHA512
a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bBif.exe
Filesize
305KB

MD5
08f88a52e090ec6ca798b55e316da786

SHA1
268822839ee5e27ed06b6d441362de20ae3deef6

SHA256
951d69242083538a766034ad06199be39f9dfe3fb3b8ae6b2c4113c730cb2f8c

SHA512
a6eee3bbd3fe2bfffffceab32cd823319c50bd886b2e69feb3b051a452a7ec8f0c8720ce08b020503b3a59329529a5e61e911b0ff2b94da845640b8ff76bae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exe
Filesize
283KB

MD5
77d5a396629251570dc77efd9d528e5d

SHA1
bd3c5750bfe7e46c96ab3b1b35c59251a3172564

SHA256
c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d

SHA512
37a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newcr.exe
Filesize
283KB

MD5
77d5a396629251570dc77efd9d528e5d

SHA1
bd3c5750bfe7e46c96ab3b1b35c59251a3172564

SHA256
c63b14e787d2cad47669489bb2072157996c7b9d629ed24fae960234271a949d

SHA512
37a9a6483c1e5b3b97889da9542d957b83db4f6902aa4f322565ff41248ecf86b264d33db9e3962c3aa2fd7cb4e2d6bbc78486e46018f663c2c59d20dc314476

Download Submit
memory/2152-276-0x0000000000000000-mapping.dmp

Download
memory/3492-161-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-137-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-122-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-123-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-124-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-125-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-126-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-127-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-128-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-129-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-130-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-131-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-132-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-133-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-134-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-135-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-136-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-165-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-138-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-139-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-140-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-141-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-142-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-143-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-144-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-145-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-163-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-147-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-148-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-149-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-150-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-151-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-152-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-153-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-154-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-155-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-156-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-157-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-159-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-158-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-160-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-120-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-162-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-146-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-121-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3492-164-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-166-0x0000000000000000-mapping.dmp

Download
memory/4420-174-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-172-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-168-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-173-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-230-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/4420-227-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/4420-171-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-176-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-178-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-179-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-223-0x0000000004A50000-0x0000000004A96000-memory.dmp

Filesize
280KB

Download
memory/4420-180-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-182-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-184-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-185-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-186-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-183-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-177-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-181-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-170-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-229-0x0000000004AE0000-0x0000000004B24000-memory.dmp

Filesize
272KB

Download
memory/4420-169-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/4420-232-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4420-231-0x0000000001F30000-0x0000000001F7B000-memory.dmp

Filesize
300KB

Download
memory/4420-243-0x0000000005090000-0x0000000005696000-memory.dmp

Filesize
6.0MB

Download
memory/4420-244-0x0000000005720000-0x000000000582A000-memory.dmp

Filesize
1.0MB

Download
memory/4420-246-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/4420-248-0x0000000005880000-0x00000000058BE000-memory.dmp

Filesize
248KB

Download
memory/4420-250-0x00000000059D0000-0x0000000005A1B000-memory.dmp

Filesize
300KB

Download
memory/4420-254-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/4420-256-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/4420-264-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/4420-265-0x0000000006540000-0x00000000065B6000-memory.dmp

Filesize
472KB

Download
memory/4420-266-0x00000000065D0000-0x0000000006620000-memory.dmp

Filesize
320KB

Download
memory/4420-267-0x0000000006640000-0x0000000006802000-memory.dmp

Filesize
1.8MB

Download
memory/4420-268-0x0000000006810000-0x0000000006D3C000-memory.dmp

Filesize
5.2MB

Download
memory/4420-275-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/4504-322-0x00000000001CB596-mapping.dmp

Download
memory/4504-374-0x00000000001B0000-0x00000000001E2000-memory.dmp

Filesize
200KB

Download
memory/4504-390-0x0000000008B60000-0x0000000008BAB000-memory.dmp

Filesize
300KB

Download