redline | hxxps://www[.]mediafire[.]com/file/fu7vj52h3yb7o8p/AtmosphereCheats[.]zip/file

General

Target

https://www.mediafire.com/file/fu7vj52h3yb7o8p/AtmosphereCheats.zip/file

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 402aab7ba945d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "51"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "51"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "111"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "111"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "111"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4D5D7BE0-CD1A-11ED-8FFF-C2E0088FA829} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5DD863DA-30B6-41BC-BC06-A04DA1626EF0}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "51"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

368 iexplore.exe
368 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

368 iexplore.exe
368 iexplore.exe
2584 IEXPLORE.EXE
2584 IEXPLORE.EXE
2584 IEXPLORE.EXE
2584 IEXPLORE.EXE

pid	process
368	iexplore.exe
368	iexplore.exe

pid	process
368	iexplore.exe
368	iexplore.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 368 wrote to memory of 2584	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 2584	368	iexplore.exe	IEXPLORE.EXE
PID 368 wrote to memory of 2584	368	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/fu7vj52h3yb7o8p/AtmosphereCheats.zip/file
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AtmosphereCheats\" -spe -an -ai#7zMap25726:94:7zEvent26471
1⤵
PID:3532

C:\Users\Admin\Downloads\AtmosphereCheats\AtmosphereLauncher.exe
"C:\Users\Admin\Downloads\AtmosphereCheats\AtmosphereLauncher.exe"
1⤵
PID:508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
2⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Q69XFBXR\www.mediafire[1].xml
Filesize
1KB

MD5
ff71b674ed46d999fc3b4bf3663eb8b2

SHA1
bd11665382415d9898e6fff46d8deb4a3fffcb74

SHA256
c9bf3606ea2c63d019dfa5cb7af37d7e77c14107a07122eb1dadd71f4d543c00

SHA512
4be667580440c1209a75c6578e2354e7d273295faa76828999105f096711083d29f5cd627e73ad968cfb15737a7c619bdd38e30bc437be06427a77e786302241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Q69XFBXR\www.mediafire[1].xml
Filesize
244B

MD5
d1e3a9b9a5976fec289c6275288edda4

SHA1
02022532cedd2499885ef58ad845ddb534b41be7

SHA256
80f8da0885f17f54d83eff419589f390bfa091647c931966c53a4fcddb98db26

SHA512
b2c9c0b132b3ee3a19872c53f7d1fa28cf77e15fa4e04d4123f8e9f398311de9005557476269347021cdf59798a2fc1da75cbcb489a270c996be05ba2dbbd082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\phzg4yt\imagestore.dat
Filesize
11KB

MD5
b82ec9eaf1f24299f63eab5028d2e2a4

SHA1
2b55e378c088c7db4af1337b2806f86e8f5efdd9

SHA256
ad77a2761fd2a08bc5de32eec4779c086c32ec5dcba15851cb5b5546bedc2875

SHA512
6bcdbdc5e31969029265bdc4271929f117968518db3a109427483adff836b719e5ef0638d35cd6be17beac19a45cf4f0342312c5dcc877d585b1fcda39613249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U4IULL1L\favicon[1].ico
Filesize
10KB

MD5
a301c91c118c9e041739ad0c85dfe8c5

SHA1
039962373b35960ef2bb5fbbe3856c0859306bf7

SHA256
cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

SHA512
3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF4B630F042AB4EC57.TMP
Filesize
16KB

MD5
354cd9b2959ee03b4c5fb7b8b40263d9

SHA1
9b9461be868754c4369cd1d05e3205a5a128ae85

SHA256
d9698e425edf2357132305a35190f33b05b545ae77b3746cc136f16148cb4849

SHA512
e6c0b0579b82658c8d71e10d11c6809c844e2513af0bbe8d778268309f16a378adba52033e0d29c32f5c33d0914cf55557e10e8a8cd9d434ecddc393b17d4452

Download Submit
C:\Users\Admin\Downloads\AtmosphereCheats.zip.23iksuy.partial
Filesize
14.3MB

MD5
f651a5ad7a3c8db4cf2b09b67002df7f

SHA1
9373619452be670d10995c972012f294909f71de

SHA256
462ba6a1b67a37b36f9c5767c5a49a6bd60163aaf513545db32c8da769896ac4

SHA512
5db94c14325f2abe30d95dab5ccc6566c2e76def9fce3a1bef0877a5072907a1621609f75ed85f1af6641507c02c336f1e80a06df8d9196a893cd2456cf0dd6d

Download Submit
C:\Users\Admin\Downloads\AtmosphereCheats\AtmosphereLauncher.exe
Filesize
182.9MB

MD5
7740f92b1901f416b165506718de23ce

SHA1
5d856f8cba6a85b42667b1a3226c183530171d6a

SHA256
839ea7813231f897f16019c2c472f0b8a996f5fa83cbb7c1fb6f3dc71c1d1228

SHA512
7e9c8382b9414ae523c7fddf18a3ba370929c3297253531d666228b0981a244542cf07478e4a13892d8a02668ddf4fe77944c8709d89f0f6f84e6d497ac45aeb

Download Submit
C:\Users\Admin\Downloads\AtmosphereCheats\AtmosphereLauncher.exe
Filesize
183.6MB

MD5
aa54695548faa898a8c2bb2599d63ec9

SHA1
9e0b11cfc24859f192eebb7f6ddd0ee7051329ee

SHA256
bffe98993614d6c33d0b0ec77f2cfd2ae016335e5bded1f35488016660ff7202

SHA512
23214b24dd0159a6d76be9c018e0534dbfebfb42ae609c055eb3020e4e767eaa0bfd16d845c4ea8cdeb9fb0aa567d608211b9150c5034aaf5dfd4f578be3d951

Download Submit
memory/508-320-0x0000000000E30000-0x000000000166C000-memory.dmp

Filesize
8.2MB

Download
memory/508-322-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/508-321-0x00000000038A0000-0x00000000038B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads