redline | hxxps://github[.]com/HotCakeX/Harden-Windows-Security/

Analysis

max time kernel
64s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HotCakeX/Harden-Windows-Security/

Score

10^/10

redline infostealer stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral1/memory/5448-763-0x00000206EEC10000-0x00000206EEDD2000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Blocklisted process makes network request 1 IoCs

flow	pid	Process
113	5448	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5448	powershell.exe
5448	powershell.exe
5448	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	firefox.exe
Token: SeDebugPrivilege	2000	firefox.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeIncreaseQuotaPrivilege	5448	powershell.exe
Token: SeSecurityPrivilege	5448	powershell.exe
Token: SeTakeOwnershipPrivilege	5448	powershell.exe
Token: SeLoadDriverPrivilege	5448	powershell.exe
Token: SeSystemProfilePrivilege	5448	powershell.exe
Token: SeSystemtimePrivilege	5448	powershell.exe
Token: SeProfSingleProcessPrivilege	5448	powershell.exe
Token: SeIncBasePriorityPrivilege	5448	powershell.exe
Token: SeCreatePagefilePrivilege	5448	powershell.exe
Token: SeBackupPrivilege	5448	powershell.exe
Token: SeRestorePrivilege	5448	powershell.exe
Token: SeShutdownPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeSystemEnvironmentPrivilege	5448	powershell.exe
Token: SeRemoteShutdownPrivilege	5448	powershell.exe
Token: SeUndockPrivilege	5448	powershell.exe
Token: SeManageVolumePrivilege	5448	powershell.exe
Token: 33	5448	powershell.exe
Token: 34	5448	powershell.exe
Token: 35	5448	powershell.exe
Token: 36	5448	powershell.exe
Token: SeIncreaseQuotaPrivilege	5448	powershell.exe
Token: SeSecurityPrivilege	5448	powershell.exe
Token: SeTakeOwnershipPrivilege	5448	powershell.exe
Token: SeLoadDriverPrivilege	5448	powershell.exe
Token: SeSystemProfilePrivilege	5448	powershell.exe
Token: SeSystemtimePrivilege	5448	powershell.exe
Token: SeProfSingleProcessPrivilege	5448	powershell.exe
Token: SeIncBasePriorityPrivilege	5448	powershell.exe
Token: SeCreatePagefilePrivilege	5448	powershell.exe
Token: SeBackupPrivilege	5448	powershell.exe
Token: SeRestorePrivilege	5448	powershell.exe
Token: SeShutdownPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeSystemEnvironmentPrivilege	5448	powershell.exe
Token: SeRemoteShutdownPrivilege	5448	powershell.exe
Token: SeUndockPrivilege	5448	powershell.exe
Token: SeManageVolumePrivilege	5448	powershell.exe
Token: 33	5448	powershell.exe
Token: 34	5448	powershell.exe
Token: 35	5448	powershell.exe
Token: 36	5448	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2000	firefox.exe
2000	firefox.exe
2000	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2000	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 548 wrote to memory of 2000	548	firefox.exe	85
PID 2000 wrote to memory of 2496	2000	firefox.exe	86
PID 2000 wrote to memory of 2496	2000	firefox.exe	86
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3828	2000	firefox.exe	87
PID 2000 wrote to memory of 3696	2000	firefox.exe	88
PID 2000 wrote to memory of 3696	2000	firefox.exe	88
PID 2000 wrote to memory of 3696	2000	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/HotCakeX/Harden-Windows-Security/
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/HotCakeX/Harden-Windows-Security/
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.0.776336957\1106916133" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5229f7ba-a15c-454e-a8ba-cc941d9b668a} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 1936 1bdd9916b58 gpu
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.1.1042402100\2059350847" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0918e57d-53ac-424e-af95-116d5b45fcb4} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 2440 1bdcb872e58 socket
    3⤵
    PID:3828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.2.933136881\1322931711" -childID 1 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66373352-6d1d-40cc-b35d-891674922541} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 3352 1bddc65a558 tab
    3⤵
    PID:3696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.3.1561333766\832495722" -childID 2 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aad920a7-33cd-4b22-91be-7bbbae3f68c0} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 4084 1bddda18e58 tab
    3⤵
    PID:4192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.4.1867357792\326921197" -childID 3 -isForBrowser -prefsHandle 4684 -prefMapHandle 4280 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adddd4b0-b1ad-42d5-b244-4ab0fa5824ae} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 1680 1bddea5d258 tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.6.3328345\584258765" -childID 5 -isForBrowser -prefsHandle 4896 -prefMapHandle 4912 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe0d27ab-0623-4e4e-a84a-b76ae3f0e344} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 5052 1bddea5ab58 tab
    3⤵
    PID:1768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2000.5.921043629\1152435497" -childID 4 -isForBrowser -prefsHandle 4812 -prefMapHandle 4824 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b751b24-932b-4384-8fa2-98a049ba2e38} 2000 "\\.\pipe\gecko-crash-server-pipe.2000" 4792 1bddea5a558 tab
    3⤵
    PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
147KB

MD5
006905e8c818730ef9e6566ff7a1b027

SHA1
24b8517798288fde1c6197646535f27f8c96994d

SHA256
41cf0798b29cee18b3ce7f908c55cd8539412e1b7fecc16490dce8fe59139083

SHA512
b939429e2f1055ff759681b9669490e70e41890b6a0d4cc95eac5a33814e7faddf76d9c825823b8e43d4b75549d613739b42cc661994cf5f0e8bcefb1ed75307

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvydn5ki.hav.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
b3284bc584a74f6d089185a354c6aae7

SHA1
64a72cb0f7001cdfe7aa62deb2675295487474d9

SHA256
8b7188ed0f6cf27d0dcc6379931320e7b197be2eed2bfe87ab91adea6491f2f9

SHA512
acee7129745728611e61b5550be135908413eaa93913acb2ccc0bc15e6f83ec0335bd8dc4816542a58f575fb2f1ba82bda987815155dc9d0456c544b696392a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
97c487e5b5ed597c41f78ca0bd7e40a0

SHA1
58348bed338aaf07533d1fcd7763c5f82a878fa3

SHA256
eb13a6a8efa2fa0cf2722ec254840f19c6bc8e9382e345d40b399eb29961614a

SHA512
04d2fe72077815a375aa2806eccec295bfab98388fe364289b2c322feda590e6274524fa80dd43f28db1cb76e85a4b8ee1f9b3e5fb55b23b8d8e0f8b9aee3a23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
8c7d729f4ba4db0f201f41f1ff1da43f

SHA1
2d08f7075857f85dd917cdf0d62e190584d294af

SHA256
34247999eced68e9256aff5b4fc7fd65035c9ffbac435a16f619998ea4e86bd0

SHA512
ee61c1f6b054a110a597e931ee3c20955d2a458c8073642b8836615039aeb06203a81e66940fe548278c6aa0397dd16ffe5b53b369849495e4af91a326ad50c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
35e12806c980a796ca7b8263a5f31225

SHA1
ad4e8726c033ddaf2a408423f0e0b37aca8b1068

SHA256
a4ebf10df713c1f3a1a80a076fdabd8ce980027a90b23bb62bcc7e0933e37e37

SHA512
5eb61f6ed93830e23472a28f6aa284b9790024c301188a1cabf454c1e1a859dd98d4bba31f50c41eec03373d2708b40605663c16f03f3bbdeeacaa44fa80bce0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js

Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7921acf6f02895670daf8471563ffe9b

SHA1
b246336b68577e19b3509f1bcd98a18a82c03aad

SHA256
e11c73b379bee05590395e38b5368331992baaafa48bd72d6d7915b98e005632

SHA512
8d4e2ec3a7eaa0049f4d57112bb5bf601954c8cd0e3301813acb0b6fee3fcca55fc7f7dc5ca839301768c4a349813755fac39ab5e8dd3521510bfc54b4fd7c51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
6c549429a8bd439dcaa9c27763a4a112

SHA1
89b49490e13afdcfd39a0ebfbbe7fe1bc0a7ca14

SHA256
c302e196c436589477ce6d86dd061a229d805222e104ff3ee7dae1a9a4ef5a53

SHA512
29d78a072ac104f3d68602206bb1faac8820d10ad2393939197e96709541916a61cf47ce7ae18b8567ca4550eb70b4c111ba4cd7c7352bd9ed9e0b90a5a87170

Download Submit
memory/5448-626-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-741-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-627-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-619-0x00000206EE9C0000-0x00000206EEA36000-memory.dmp

Filesize
472KB

Download
memory/5448-618-0x00000206EE8F0000-0x00000206EE934000-memory.dmp

Filesize
272KB

Download
memory/5448-739-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-740-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-625-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-763-0x00000206EEC10000-0x00000206EEDD2000-memory.dmp

Filesize
1.8MB

Download
memory/5448-775-0x00000206EE940000-0x00000206EE96A000-memory.dmp

Filesize
168KB

Download
memory/5448-776-0x00000206EE940000-0x00000206EE964000-memory.dmp

Filesize
144KB

Download
memory/5448-782-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-883-0x00000206EE550000-0x00000206EE560000-memory.dmp

Filesize
64KB

Download
memory/5448-603-0x00000206D4CB0000-0x00000206D4CD2000-memory.dmp

Filesize
136KB

Download