redline | 462bf8a2e19a3e2dd4e5635aa5089e7bdc291d5c5c4665549f64f67abf0b598a

Resubmissions

30/03/2023, 08:10

230330-j2y76adb8v 10

30/03/2023, 06:06

230330-gttxcsbb64 10

Analysis

max time kernel
209s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Section 1.one
Size

687KB
MD5

8ae07041e2b2c7201571f3b9541c3925
SHA1

f2c15ca4740fb2a1c11e8cd55181ba97caae3c77
SHA256

462bf8a2e19a3e2dd4e5635aa5089e7bdc291d5c5c4665549f64f67abf0b598a
SHA512

16643ff70f5b74a8516ad93625db110c6f04f29bb2fdc43009f1f77732e9a51b8d814872ff17598c3a014ebccf41aea396650f2a18a7cd69e83435443ba6e92d
SSDEEP

12288:CIjHiImv+fuHiMRLAlR88CQaAY3MjplVTK57xg/96LxY55W:DjH3+PiMRL98CkY3MrVqSs

Score

10^/10

redline kento infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

kento

172.245.45.213:3235

Attributes

auth_value
25782da22784dd4df09e2caa33275948

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3316-317-0x0000000000400000-0x0000000000434000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
2404	def_FUD.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 3316	2404	def_FUD.exe	92

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4608	ONENOTE.EXE
4608	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4608	ONENOTE.EXE
4608	ONENOTE.EXE
3316	Caspol.exe
3316	Caspol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	def_FUD.exe
Token: SeDebugPrivilege	3316	Caspol.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE
4608	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2404	4608	ONENOTE.EXE	91
PID 4608 wrote to memory of 2404	4608	ONENOTE.EXE	91
PID 4608 wrote to memory of 2404	4608	ONENOTE.EXE	91
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92
PID 2404 wrote to memory of 3316	2404	def_FUD.exe	92

C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\Temp\New Section 1.one"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{A09BBAC8-0B04-42F8-A4CB-61F304B5CF55}\DT\0\def_FUD.exe
  "C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{A09BBAC8-0B04-42F8-A4CB-61F304B5CF55}\DT\0\def_FUD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BL.bin

Filesize
544B

MD5
3f94cef008b1e50aa5ad317fde5a85f3

SHA1
e27d26d6631b61ea4ff0535ce904598e0a27890b

SHA256
e700d920eacf7119a6a1a3543848921c1fb4ff00f1888b2eb4f76cb3c38b9f2e

SHA512
dc2dcf9f9921a037472b1d0d0076c8bed51a87c2ed39a26b3f8fcbcbe2e58ba5bf07562f4bb03209008521ba4653c650e61ea86aa9c87a5a6fc8153a3f32957b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BM.bin

Filesize
544B

MD5
6894839fcf787c48a67f85a47c20c884

SHA1
254ddf5bd5b5159bea25ea3795a1b856be570537

SHA256
066e3d9a9dd6349c9b3051563b73429e18fa5e8901a9b1f661723a7b127e2829

SHA512
0a313876af1e4c46cb3b52d15d30e2759cf1989974ad190260383aa87497161fe04f982806aa37495f3a0681921e9266c2e76eaf387a97c3a4bd8474e2011e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BO.bin

Filesize
428KB

MD5
29e0b5b9cdfd9ca6386e17e72b3bfc59

SHA1
450a9076028d91ac321ba0e45ed6db17fb5c5cd6

SHA256
ea99a474b553c92fdfd59c8a1671d64ac9c4d3af27fa7dec6eeb51bd907156de

SHA512
69fe2bb0bdfc664fee3aec69771b85bde0f73c8b16f624e64c0ad146b66bf4d808190e73ce31bcc162bbe581b6f2ecdd6f2de9d776b02588c142c5885e378c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BQ.bin

Filesize
4KB

MD5
188df9207bdf4e30e40e3709fca4e347

SHA1
a508f4d6c87d6a959944e46d4221435d2f0bf65d

SHA256
45744e38d44bbe1e11c8183d577d18be90a3a545c8d8ef8bae50488d37677dcb

SHA512
fac6726200d55c5f336c313c5b875a4885913629ed70b254a0c81b55e46d6c3dd7ee298bdb01e57d5df8362ae47f5ef69969827350dc0e634010383dcfbbf9f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000BS.bin

Filesize
230KB

MD5
6654079761c2a0d0f2f56b57ef284305

SHA1
5843d43d7050db9a3c256d4a5b5cad6e643df07d

SHA256
7d2b04d756813421bbddd6b8c17b457e73ab06ffbaecc9ee908b0bc3182bc4be

SHA512
2f85c953287992508306cc191c034f63828cdba41ffd738c07b5ada9d5c3e7ed57b377d6c428f2449fdc85f83b0032e6aebbdea15af8b9f9c3a6dd216d36f6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\tmp\000000C0.bin

Filesize
544B

MD5
f89b42068564261dcdfb4d97e0b9b92e

SHA1
19147063c5fb81273340ce07088a45fc769cde38

SHA256
5af56412af0000f15e191457fe88a05b871670b3e3b66dd06a966f6796924a01

SHA512
c7d4e9f68c46bee2b3819eb1d1bd5080d90ce127f49ae5b6f92ee795e4fd3b8d98f0becf5a1f91e4aabccdf5dd43a81b20b9d6bce701d8e01a83c19a316bac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{A09BBAC8-0B04-42F8-A4CB-61F304B5CF55}\DT\0\def_FUD.exe

Filesize
428KB

MD5
fafe5a70663c2446d2c3cfdf6b3ecef0

SHA1
ece9d774c62af3c79f6a8cab55ffe19b70b0da13

SHA256
684ec0c4d29f19b6b88066ea5a33b9b378720e04b9c3686fc745276a5f7a6771

SHA512
3c5ff6ae19c810d2785c324d17cb40dd58e15812db05f0932d8a8d9c1f4169277c820eeb8fbe872b46ec10e94eef35208cce7e73fc62e59ad71409fff29f141b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{A09BBAC8-0B04-42F8-A4CB-61F304B5CF55}\DT\0\def_FUD.exe

Filesize
428KB

MD5
fafe5a70663c2446d2c3cfdf6b3ecef0

SHA1
ece9d774c62af3c79f6a8cab55ffe19b70b0da13

SHA256
684ec0c4d29f19b6b88066ea5a33b9b378720e04b9c3686fc745276a5f7a6771

SHA512
3c5ff6ae19c810d2785c324d17cb40dd58e15812db05f0932d8a8d9c1f4169277c820eeb8fbe872b46ec10e94eef35208cce7e73fc62e59ad71409fff29f141b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\{A09BBAC8-0B04-42F8-A4CB-61F304B5CF55}\DT\0\def_FUD.exe

Filesize
428KB

MD5
fafe5a70663c2446d2c3cfdf6b3ecef0

SHA1
ece9d774c62af3c79f6a8cab55ffe19b70b0da13

SHA256
684ec0c4d29f19b6b88066ea5a33b9b378720e04b9c3686fc745276a5f7a6771

SHA512
3c5ff6ae19c810d2785c324d17cb40dd58e15812db05f0932d8a8d9c1f4169277c820eeb8fbe872b46ec10e94eef35208cce7e73fc62e59ad71409fff29f141b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{07867257-D716-4258-9952-5468177677C0}

Filesize
544B

MD5
ed1c60146812f9ca268cffd69ae2f7a4

SHA1
800070e345e163394ce86d22e902082b05321baf

SHA256
b7ab9ffde28822bacf3d3361fe6ff79423404c6496c4c51c71de07c5a626c2f4

SHA512
c4bda1ad84e0ec722cbb4fd29af1e90494d8209a51cc8e2ade295099b1cc663c5c5cbfa81408343605734725b86afa8eb66472f85316d7c831c066e9ef9f8d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFEA8602-1450-4BE1-9E2F-FDA17E9E1A3A}

Filesize
544B

MD5
fccd41cbecbcb0f05c8f0ebbba2a726a

SHA1
dfcbcdf5162c54efca2612e2c14a73b15afdf708

SHA256
a70cfe0ff4db4f54406317e4368777b942ee28d384ccc77ce456cfbed1813abe

SHA512
2f864665cde150c0a3710759bacd79ea29ffd09a015e2b8ad1d1aefe44b27cd7df8fa1ad9ba241c0a121cf484cf10f251b95487f5efe7223ba0ff3d47d723d0a

Download Submit
memory/2404-318-0x000000000BE60000-0x000000000BEF2000-memory.dmp

Filesize
584KB

Download
memory/2404-315-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/2404-314-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/2404-313-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/2404-312-0x0000000000850000-0x00000000008BE000-memory.dmp

Filesize
440KB

Download
memory/3316-322-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/3316-333-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/3316-338-0x0000000006AF0000-0x0000000006B40000-memory.dmp

Filesize
320KB

Download
memory/3316-337-0x0000000006A70000-0x0000000006AE6000-memory.dmp

Filesize
472KB

Download
memory/3316-336-0x0000000007E60000-0x000000000838C000-memory.dmp

Filesize
5.2MB

Download
memory/3316-335-0x0000000007760000-0x0000000007922000-memory.dmp

Filesize
1.8MB

Download
memory/3316-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-334-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3316-320-0x0000000005720000-0x0000000005D38000-memory.dmp

Filesize
6.1MB

Download
memory/3316-321-0x0000000005280000-0x000000000538A000-memory.dmp

Filesize
1.0MB

Download
memory/3316-324-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3316-323-0x0000000005210000-0x000000000524C000-memory.dmp

Filesize
240KB

Download
memory/4608-139-0x00007FFC24320000-0x00007FFC24330000-memory.dmp

Filesize
64KB

Download
memory/4608-133-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

Filesize
64KB

Download
memory/4608-138-0x00007FFC24320000-0x00007FFC24330000-memory.dmp

Filesize
64KB

Download
memory/4608-137-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

Filesize
64KB

Download
memory/4608-136-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

Filesize
64KB

Download
memory/4608-134-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

Filesize
64KB

Download
memory/4608-135-0x00007FFC26730000-0x00007FFC26740000-memory.dmp

Filesize
64KB

Download