redline | hxxp://62[.]204[.]41[.]88/lend/world[.]exe

General

Target

http://62.204.41.88/lend/world.exe

Score

10^/10

redline 14 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

14

C2

45.12.253.144:40145

Attributes

auth_value
6528d0f243ad9e530a68f2a487521a80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

world.exe

pid process

4672 world.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4672	world.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d42e80ebae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31022488"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe30000000002000000000010660000000100002000000094532a89350d77c27542dae1e50dcc9adc6cb6bd01c8011d8cd0710cdbe6bbce000000000e8000000002000020000000c7c5f21521e9c0bdf22f3ed141c24f4f10030b2ea979261e2b4378146c6e0a1d20000000d08c4544aad1139c53b0a8f6d6739c8ca4282a2d434f3d67ca4370fb76e6a06d40000000751aef4ef40c8084960f2f4f17557a6b43f6854f8c74200c7c02adb8967cf0b7c262fa4e4b68e1c7fce9cd46e69c28dd939dc84d9a78c2c14b3ef66210be196b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0081ca42985dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{9CEB3676-E75C-43F4-8FBC-A83246179206}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6C9EB8C9-C98B-11ED-9EF6-EEF7611730E8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1101034788"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022488"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2047b742985dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386348594"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1101191265"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016b1b6fc7cfc59429b2ebf78760d5fe30000000002000000000010660000000100002000000002ffe8059b33449af2df2ac69abd0e5130599feadc3bfcdd1aaf07e1f5db88d6000000000e8000000002000020000000f98994ed0cacd3a1966a5e08688e88c95334942d6edf100d4701d24d97b60315200000007dc52f4ef6203a7e3e17e2a0c78c8b5cff036e05f90f71d6a34b04f518be683140000000b8c4d9c19c6bbdf3abbb747f0f699a64ee6800cedd2191c7689002c58ca6785c7f3abd9a4c34bbab9a73e31480cdc108e772732712beb5151acb9a383d7136c9	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

world.exe

pid process

4672 world.exe
4672 world.exe
4672 world.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

world.exe

description pid process

Token: SeDebugPrivilege 4672 world.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

644 iexplore.exe
644 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

644 iexplore.exe
644 iexplore.exe
2704 IEXPLORE.EXE
2704 IEXPLORE.EXE

pid	process
4672	world.exe
4672	world.exe
4672	world.exe

description	pid	process
Token: SeDebugPrivilege	4672	world.exe

pid	process
644	iexplore.exe
644	iexplore.exe

pid	process
644	iexplore.exe
644	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 644 wrote to memory of 2704	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 2704	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 2704	644	iexplore.exe	IEXPLORE.EXE
PID 644 wrote to memory of 4672	644	iexplore.exe	world.exe
PID 644 wrote to memory of 4672	644	iexplore.exe	world.exe
PID 644 wrote to memory of 4672	644	iexplore.exe	world.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://62.204.41.88/lend/world.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:644 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\world.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\world.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\world[1].exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\world.exe
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8OI4IV75\world.exe.pbxt1gm.partial
Filesize
336KB

MD5
f8e0e6946af017037e8bb4d5455d4e99

SHA1
6691a0d551c3991fbe5f18147711e829616099bb

SHA256
4f8e88f1d2bf0817faa0627fa1c9b92715b13015bf7f38d7fcc6d27a4e511d6e

SHA512
f2fa94c86c400ae894abc3d9fa7316ad47cf1bf4b039dd162cab13c1e4c29c68646919c2076804b885863dd15e79053ef378bdf996b030c6764c144eb36c6e93

Download Submit
memory/4672-148-0x0000000005580000-0x00000000055BC000-memory.dmp

Filesize
240KB

Download
memory/4672-151-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4672-146-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/4672-147-0x0000000005520000-0x0000000005532000-memory.dmp

Filesize
72KB

Download
memory/4672-144-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4672-149-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4672-150-0x0000000006BE0000-0x0000000007184000-memory.dmp

Filesize
5.6MB

Download
memory/4672-145-0x0000000005B20000-0x0000000006138000-memory.dmp

Filesize
6.1MB

Download
memory/4672-152-0x0000000006900000-0x0000000006AC2000-memory.dmp

Filesize
1.8MB

Download
memory/4672-153-0x0000000008DB0000-0x00000000092DC000-memory.dmp

Filesize
5.2MB

Download
memory/4672-154-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4672-155-0x0000000006AD0000-0x0000000006B46000-memory.dmp

Filesize
472KB

Download
memory/4672-156-0x0000000006B50000-0x0000000006BA0000-memory.dmp

Filesize
320KB

Download
memory/4672-143-0x00000000009E0000-0x0000000000A3A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads