redline | 727a5380cc5975839d6411d42569d834a337d139fb40f2e94e855835e2b538d6

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMSauto-setup.exe
Size

3.8MB
MD5

c7e2bb8d867d4f4bb484cfe674a16c55
SHA1

fdd4fbd30bc2db3faf199799bb732dbf3a137a1a
SHA256

727a5380cc5975839d6411d42569d834a337d139fb40f2e94e855835e2b538d6
SHA512

c8596183949d7c888724374f48c202b2f96af8a32654234f746124b0a3476682ab109c7bc293a4c5a8b8e0661a56c954ab467c5d86b9b789237f86acadd596d3
SSDEEP

98304:CpyfN3PlMJaE15aViYyf6L0c6veW0YDr9C3PVbiUk:SyfQJt15RY66gnZvJUk

Score

10^/10

redline 0215 infostealer

Malware Config

Extracted

Family

redline

Botnet

0215

badinytlesi.xyz:80

yaliesarevi.xyz:80

Attributes

auth_value
c9dd5ca07f69257239203a3c44bb8a57

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

resource	yara_rule
behavioral2/memory/2772-181-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-182-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-184-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-186-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-188-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-190-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-192-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-194-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-196-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-198-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-200-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-202-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-204-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-206-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-208-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-210-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-212-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-214-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-218-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-216-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-220-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-222-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-224-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-226-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-228-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-232-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-230-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-234-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-238-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-236-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-240-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-242-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-244-0x00000000025B0000-0x00000000025DD000-memory.dmp	family_redline
behavioral2/memory/2772-1146-0x0000000002650000-0x0000000002660000-memory.dmp	family_redline

Blocklisted process makes network request 2 IoCs

flow	pid	Process
42	2960	WScript.exe
45	2960	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	KMSauto-setup.exe

Executes dropped EXE 2 IoCs

pid	Process
2772	build.exe
1120	KMSAuto Net.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	KMSauto-setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	build.exe
Token: 33	3228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3228	AUDIODG.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2960	4400	KMSauto-setup.exe	93
PID 4400 wrote to memory of 2960	4400	KMSauto-setup.exe	93
PID 4400 wrote to memory of 2960	4400	KMSauto-setup.exe	93
PID 4400 wrote to memory of 2772	4400	KMSauto-setup.exe	94
PID 4400 wrote to memory of 2772	4400	KMSauto-setup.exe	94
PID 4400 wrote to memory of 2772	4400	KMSauto-setup.exe	94
PID 4400 wrote to memory of 1120	4400	KMSauto-setup.exe	96
PID 4400 wrote to memory of 1120	4400	KMSauto-setup.exe	96
PID 4400 wrote to memory of 1120	4400	KMSauto-setup.exe	96
PID 1120 wrote to memory of 928	1120	KMSAuto Net.exe	97
PID 1120 wrote to memory of 928	1120	KMSAuto Net.exe	97
PID 1120 wrote to memory of 928	1120	KMSAuto Net.exe	97
PID 1120 wrote to memory of 2700	1120	KMSAuto Net.exe	99
PID 1120 wrote to memory of 2700	1120	KMSAuto Net.exe	99
PID 1120 wrote to memory of 2428	1120	KMSAuto Net.exe	101
PID 1120 wrote to memory of 2428	1120	KMSAuto Net.exe	101

C:\Users\Admin\AppData\Local\Temp\KMSauto-setup.exe
"C:\Users\Admin\AppData\Local\Temp\KMSauto-setup.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\script.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2960
- C:\Users\Admin\AppData\Roaming\build.exe
  "C:\Users\Admin\AppData\Roaming\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Users\Admin\AppData\Roaming\KMSAuto Net.exe
  "C:\Users\Admin\AppData\Roaming\KMSAuto Net.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
    3⤵
    PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /c echo test>>"C:\Users\Admin\AppData\Roaming\test.test"
    3⤵
    PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
    3⤵
    PID:2428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4b8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\KMSAuto Net.exe

Filesize
8.6MB

MD5
93a3a8ce440197d31168fac569082937

SHA1
fad3066803a1ba8f9cb8bb7d1969eea0398b5ea0

SHA256
22ef521964080e77d7006f9341d720683fa98409361c62a7bc4fe81ec474b1b2

SHA512
08efe7e24d8d9e484d39c1381421c3fbbf231e46a5ac33c22bf3735a06c4a3d278a752c25afeb4217cc663a6c6955a55985056a7d5d5142e57c2ac5d99e5d0c8

Download Submit
C:\Users\Admin\AppData\Roaming\KMSAuto Net.exe

Filesize
8.6MB

MD5
93a3a8ce440197d31168fac569082937

SHA1
fad3066803a1ba8f9cb8bb7d1969eea0398b5ea0

SHA256
22ef521964080e77d7006f9341d720683fa98409361c62a7bc4fe81ec474b1b2

SHA512
08efe7e24d8d9e484d39c1381421c3fbbf231e46a5ac33c22bf3735a06c4a3d278a752c25afeb4217cc663a6c6955a55985056a7d5d5142e57c2ac5d99e5d0c8

Download Submit
C:\Users\Admin\AppData\Roaming\KMSAuto Net.exe

Filesize
8.6MB

MD5
93a3a8ce440197d31168fac569082937

SHA1
fad3066803a1ba8f9cb8bb7d1969eea0398b5ea0

SHA256
22ef521964080e77d7006f9341d720683fa98409361c62a7bc4fe81ec474b1b2

SHA512
08efe7e24d8d9e484d39c1381421c3fbbf231e46a5ac33c22bf3735a06c4a3d278a752c25afeb4217cc663a6c6955a55985056a7d5d5142e57c2ac5d99e5d0c8

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
377KB

MD5
04eef1596eb9769556b5ef8c42ee709a

SHA1
db4180e1ff94e544346c758826a214136e92072f

SHA256
9732508128b1dfc791d4af808eacbed5dcafaa7ad3f3f8e03cd5fc885285080d

SHA512
14b1397c5775e3f65d74570d2ebd51df980f0850a38b385b1a0dd2bea5c420da735c84698ce0fb48e884b505febd9c4f97a49c1525c3413271979876d215a8ac

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
377KB

MD5
04eef1596eb9769556b5ef8c42ee709a

SHA1
db4180e1ff94e544346c758826a214136e92072f

SHA256
9732508128b1dfc791d4af808eacbed5dcafaa7ad3f3f8e03cd5fc885285080d

SHA512
14b1397c5775e3f65d74570d2ebd51df980f0850a38b385b1a0dd2bea5c420da735c84698ce0fb48e884b505febd9c4f97a49c1525c3413271979876d215a8ac

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
377KB

MD5
04eef1596eb9769556b5ef8c42ee709a

SHA1
db4180e1ff94e544346c758826a214136e92072f

SHA256
9732508128b1dfc791d4af808eacbed5dcafaa7ad3f3f8e03cd5fc885285080d

SHA512
14b1397c5775e3f65d74570d2ebd51df980f0850a38b385b1a0dd2bea5c420da735c84698ce0fb48e884b505febd9c4f97a49c1525c3413271979876d215a8ac

Download Submit
C:\Users\Admin\AppData\Roaming\script.vbs

Filesize
685B

MD5
0dea7d1c1544d71cc604cd364f5b9e52

SHA1
c02058d9241ec21c9dd81f280fa2f988b6762544

SHA256
fd3a646f5f862fb4eb34a1a7b4274a8be4a6afd8364e2f24a58c6dbde1e10214

SHA512
abaf39f768931dd4c7cb749d6c5a280d443888b445beed4b12aa41bee5259407683e62cfaa7ab8e4d61ff223867356dcfd2de2eeed39a1f1273653b28f912ba1

Download Submit
C:\Users\Admin\AppData\Roaming\test.test

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
memory/1120-162-0x0000000000CE0000-0x0000000001576000-memory.dmp

Filesize
8.6MB

Download
memory/1120-163-0x0000000005EC0000-0x0000000005F5C000-memory.dmp

Filesize
624KB

Download
memory/1120-164-0x0000000006530000-0x0000000006AD4000-memory.dmp

Filesize
5.6MB

Download
memory/1120-165-0x0000000006020000-0x00000000060B2000-memory.dmp

Filesize
584KB

Download
memory/1120-166-0x0000000005FB0000-0x0000000005FBA000-memory.dmp

Filesize
40KB

Download
memory/1120-167-0x00000000061B0000-0x0000000006206000-memory.dmp

Filesize
344KB

Download
memory/1120-168-0x0000000006230000-0x0000000006240000-memory.dmp

Filesize
64KB

Download
memory/1120-177-0x0000000006230000-0x0000000006240000-memory.dmp

Filesize
64KB

Download
memory/1120-1143-0x0000000006230000-0x0000000006240000-memory.dmp

Filesize
64KB

Download
memory/1120-1142-0x0000000006230000-0x0000000006240000-memory.dmp

Filesize
64KB

Download
memory/2772-206-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-224-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-182-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-184-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-186-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-188-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-190-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-192-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-194-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-196-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-198-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-200-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-202-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-204-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-180-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-208-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-210-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-212-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-214-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-218-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-216-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-220-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-222-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-181-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-226-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-228-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-232-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-230-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-234-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-238-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-236-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-240-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-242-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-244-0x00000000025B0000-0x00000000025DD000-memory.dmp

Filesize
180KB

Download
memory/2772-582-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-1136-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/2772-1137-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/2772-1138-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-1139-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/2772-1140-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-179-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-178-0x00000000020D0000-0x0000000002109000-memory.dmp

Filesize
228KB

Download
memory/2772-1144-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-1145-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-1146-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/2772-1147-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download