redline | 069ca2e2865e37a2e0e15b701b8cb64a8833ad16e38f2a6b6f7b4025451d1205

General

Target

607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe
Size

7.2MB
MD5

c0897e921672c2619acc5d9ff1329860
SHA1

683d5c1b0858cd5089e4a60ba344872531584d35
SHA256

607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52
SHA512

696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff
SSDEEP

196608:FLQ6B/XKUDz9NoUXJzUWi7MYjBVvo5/UVC:ZFlaU/9NZXJZinjB9oxgC

Score

10^/10

redline darkweb discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

DARKWEB

C2

89.22.234.180:40608

Attributes

auth_value
cf407bc0c9a8384bb62aa110b7844cfe

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe

Executes dropped EXE 2 IoCs

pid	Process
4000	XWorm V3.1.exe
400	dark.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	dark.exe
400	dark.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	XWorm V3.1.exe
Token: SeDebugPrivilege	400	dark.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4000	4220	607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe	85
PID 4220 wrote to memory of 4000	4220	607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe	85
PID 4220 wrote to memory of 400	4220	607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe	86
PID 4220 wrote to memory of 400	4220	607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe	86
PID 4220 wrote to memory of 400	4220	607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe	86

C:\Users\Admin\AppData\Local\Temp\607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe
"C:\Users\Admin\AppData\Local\Temp\607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\dark.exe
  "C:\Users\Admin\AppData\Local\Temp\dark.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe

Filesize
6.9MB

MD5
37a9fdc56e605d2342da88a6e6182b4b

SHA1
20bc3df33bbbb676d2a3c572cff4c1d58c79055d

SHA256
422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

SHA512
f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe

Filesize
6.9MB

MD5
37a9fdc56e605d2342da88a6e6182b4b

SHA1
20bc3df33bbbb676d2a3c572cff4c1d58c79055d

SHA256
422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

SHA512
f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe

Filesize
6.9MB

MD5
37a9fdc56e605d2342da88a6e6182b4b

SHA1
20bc3df33bbbb676d2a3c572cff4c1d58c79055d

SHA256
422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

SHA512
f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dark.exe

Filesize
159KB

MD5
0d1b1c61a083b253810ede683435e6bc

SHA1
3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

SHA256
fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

SHA512
dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dark.exe

Filesize
159KB

MD5
0d1b1c61a083b253810ede683435e6bc

SHA1
3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

SHA256
fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

SHA512
dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dark.exe

Filesize
159KB

MD5
0d1b1c61a083b253810ede683435e6bc

SHA1
3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

SHA256
fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

SHA512
dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

Download Submit
memory/400-157-0x0000000005750000-0x0000000005D68000-memory.dmp

Filesize
6.1MB

Download
memory/400-160-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/400-155-0x00000000008C0000-0x00000000008EE000-memory.dmp

Filesize
184KB

Download
memory/400-170-0x0000000007210000-0x000000000773C000-memory.dmp

Filesize
5.2MB

Download
memory/400-169-0x0000000006B10000-0x0000000006CD2000-memory.dmp

Filesize
1.8MB

Download
memory/400-158-0x0000000005130000-0x0000000005142000-memory.dmp

Filesize
72KB

Download
memory/400-159-0x0000000005260000-0x000000000536A000-memory.dmp

Filesize
1.0MB

Download
memory/400-171-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/400-161-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/400-162-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/400-165-0x0000000006560000-0x0000000006B04000-memory.dmp

Filesize
5.6MB

Download
memory/400-166-0x00000000060A0000-0x0000000006132000-memory.dmp

Filesize
584KB

Download
memory/400-172-0x00000000064B0000-0x0000000006500000-memory.dmp

Filesize
320KB

Download
memory/400-168-0x0000000006300000-0x0000000006376000-memory.dmp

Filesize
472KB

Download
memory/4000-167-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4000-156-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4000-150-0x0000000000630000-0x0000000000D26000-memory.dmp

Filesize
7.0MB

Download
memory/4000-174-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4000-175-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/4220-152-0x0000000000400000-0x0000000000B3D000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing