redline | 671c37266d8edfe445ac284ba2b1f1131cf314130a3cdc2f791ac1b965ed4ca8

General

Target

NordVPN Checker by xRisky v2/NordVPN Checker by xRisky v2/NordVPN Checker by xRisky v2.exe
Size

3.6MB
MD5

9df94731f9ac86b4f1402c15b84a3578
SHA1

5159c2b5714f441620e28ead76b1c0660c7e124c
SHA256

dd4fc338c35dba00d865ebf26c18f892f321bc2e77564109e389ea01eaf77fd0
SHA512

c3e6cc529f811d36c79c001b42d283984bda9da42242ea63b118ac546a561f301f72c43fcb46bed7a16470d2eb08744009ea23e80f24b544dca3d7dbb448f2c1
SSDEEP

49152:KsxJtIT8zzAiAua9pByJcjCI1imWYVBqSLIaisl0ilx5MVuCzFIFIuRZ97F:BxJG9GemI1i8kkCnFI

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NordVPN Checker by xRisky v2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	NordVPN Checker by xRisky v2.exe

Executes dropped EXE 2 IoCs

Processes:

Google Chrome.exeNordVPN Checker by xRisky v2[x86].exe

pid process

2392 Google Chrome.exe
4208 NordVPN Checker by xRisky v2[x86].exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

NordVPN Checker by xRisky v2[x86].exe

pid process

4208 NordVPN Checker by xRisky v2[x86].exe

pid	process
2392	Google Chrome.exe
4208	NordVPN Checker by xRisky v2[x86].exe

pid	process
4208	NordVPN Checker by xRisky v2[x86].exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

NordVPN Checker by xRisky v2[x86].exeGoogle Chrome.exe

description	pid	process
Token: 33	4208	NordVPN Checker by xRisky v2[x86].exe
Token: SeIncBasePriorityPrivilege	4208	NordVPN Checker by xRisky v2[x86].exe
Token: SeDebugPrivilege	4208	NordVPN Checker by xRisky v2[x86].exe
Token: SeDebugPrivilege	2392	Google Chrome.exe
Token: 33	4208	NordVPN Checker by xRisky v2[x86].exe
Token: SeIncBasePriorityPrivilege	4208	NordVPN Checker by xRisky v2[x86].exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

NordVPN Checker by xRisky v2.exe

description	pid	process	target process
PID 5076 wrote to memory of 2392	5076	NordVPN Checker by xRisky v2.exe	Google Chrome.exe
PID 5076 wrote to memory of 2392	5076	NordVPN Checker by xRisky v2.exe	Google Chrome.exe
PID 5076 wrote to memory of 2392	5076	NordVPN Checker by xRisky v2.exe	Google Chrome.exe
PID 5076 wrote to memory of 4208	5076	NordVPN Checker by xRisky v2.exe	NordVPN Checker by xRisky v2[x86].exe
PID 5076 wrote to memory of 4208	5076	NordVPN Checker by xRisky v2.exe	NordVPN Checker by xRisky v2[x86].exe
PID 5076 wrote to memory of 4208	5076	NordVPN Checker by xRisky v2.exe	NordVPN Checker by xRisky v2[x86].exe

C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Roaming\Google Chrome.exe
"C:\Users\Admin\AppData\Roaming\Google Chrome.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
"C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
Filesize
3.2MB

MD5
97cea94128fb016302f1a0d54143dba5

SHA1
bc25d61cbbb607207ca6361b0694584c6369ec26

SHA256
c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

SHA512
1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
Filesize
3.2MB

MD5
97cea94128fb016302f1a0d54143dba5

SHA1
bc25d61cbbb607207ca6361b0694584c6369ec26

SHA256
c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

SHA512
1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2\NordVPN Checker by xRisky v2[x86].exe
Filesize
3.2MB

MD5
97cea94128fb016302f1a0d54143dba5

SHA1
bc25d61cbbb607207ca6361b0694584c6369ec26

SHA256
c5ad584af783dc9a379679db534564145a6b329b89a5681c5c30bc9fb4ae3f96

SHA512
1dd2b3e0617d8d3c4670f06ee0e7c3ed8f2e0a061c8bce6919271c29871203eba4590f7907e416c138df28afc1715f9187a1db427ca3741613924afb4bd240e7

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe
Filesize
403KB

MD5
f903148b5a0c07db2c61ce05fa5c7db2

SHA1
b636a8bf5769f7fe27c263eab54026ac03732ad4

SHA256
2999cb6a5b4a9d38c8f85c1b24a6574147c12c90b4a36e5a81c7aa9c7eecfe3d

SHA512
3abb409a61e167f60af116cd2191435bdc7876ce5483905bd944a01dec2c41e5736ae4ffeb628ea74eeef205e7b5e0c0e04520b58e14aa3240bf9a2de0dfd9b9

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe
Filesize
403KB

MD5
f903148b5a0c07db2c61ce05fa5c7db2

SHA1
b636a8bf5769f7fe27c263eab54026ac03732ad4

SHA256
2999cb6a5b4a9d38c8f85c1b24a6574147c12c90b4a36e5a81c7aa9c7eecfe3d

SHA512
3abb409a61e167f60af116cd2191435bdc7876ce5483905bd944a01dec2c41e5736ae4ffeb628ea74eeef205e7b5e0c0e04520b58e14aa3240bf9a2de0dfd9b9

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe
Filesize
403KB

MD5
f903148b5a0c07db2c61ce05fa5c7db2

SHA1
b636a8bf5769f7fe27c263eab54026ac03732ad4

SHA256
2999cb6a5b4a9d38c8f85c1b24a6574147c12c90b4a36e5a81c7aa9c7eecfe3d

SHA512
3abb409a61e167f60af116cd2191435bdc7876ce5483905bd944a01dec2c41e5736ae4ffeb628ea74eeef205e7b5e0c0e04520b58e14aa3240bf9a2de0dfd9b9

Download Submit
memory/2392-165-0x00000000050D0000-0x00000000051DA000-memory.dmp

Filesize
1.0MB

Download
memory/2392-157-0x0000000000520000-0x000000000058A000-memory.dmp

Filesize
424KB

Download
memory/2392-158-0x0000000005390000-0x00000000059A8000-memory.dmp

Filesize
6.1MB

Download
memory/2392-159-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2392-160-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/2392-161-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2392-184-0x0000000006AC0000-0x0000000006FEC000-memory.dmp

Filesize
5.2MB

Download
memory/2392-183-0x00000000063C0000-0x0000000006582000-memory.dmp

Filesize
1.8MB

Download
memory/2392-176-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4208-168-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-164-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/4208-167-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-187-0x0000000000400000-0x00000000007BE000-memory.dmp

Filesize
3.7MB

Download
memory/4208-169-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-170-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/4208-171-0x00000000060E0000-0x0000000006104000-memory.dmp

Filesize
144KB

Download
memory/4208-172-0x0000000006600000-0x0000000006654000-memory.dmp

Filesize
336KB

Download
memory/4208-173-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-174-0x00000000067F0000-0x0000000006846000-memory.dmp

Filesize
344KB

Download
memory/4208-175-0x0000000000400000-0x00000000007BE000-memory.dmp

Filesize
3.7MB

Download
memory/4208-166-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-177-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-178-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-179-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-180-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-181-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4208-163-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/4208-162-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/4208-186-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/5076-133-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads