redline | 5738e9e23d0c21542c695990f81fd536ba56130851b3aad49a1c48777fe828ba

General

Target

d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe
Size

1.2MB
MD5

6af6a7fac1197a9b12b28c0e4db8c18a
SHA1

357ae7d706de393d8743dbbe0d94bc87922643cf
SHA256

d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687
SHA512

6a89fbff98be91a89008830f7aa3f88ef8fcd4c9967d1443abda4bad71097f6abc6a1371e0767e8853a3e52bd4e3f944f4ccbb7f8173d06d7c777bc71823f899
SSDEEP

24576:2TbBv5rUyXVTW6Hq69NuPQPyUfezTtJiC7nVUriVGAQ+hw17tq:IBJTzHqBQrW3tEwnGtdCOBq

Score

10^/10

redline 2 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

2

C2

135.181.7.171:81

Attributes

auth_value
101013a5e99e0857595aae297a11351d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe

Executes dropped EXE 2 IoCs

Processes:

4usfliof.exeyee9mbi69cm7.exe

pid process

328 4usfliof.exe
4664 yee9mbi69cm7.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
328	4usfliof.exe
4664	yee9mbi69cm7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4usfliof.exeyee9mbi69cm7.exe

description	pid	process	target process
PID 328 set thread context of 4868	328	4usfliof.exe	RegSvcs.exe
PID 4664 set thread context of 4568	4664	yee9mbi69cm7.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3368 328 WerFault.exe 4usfliof.exe
3992 4664 WerFault.exe yee9mbi69cm7.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4868 RegSvcs.exe
4868 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4868 RegSvcs.exe

pid	pid_target	process	target process
3368	328	WerFault.exe	4usfliof.exe
3992	4664	WerFault.exe	yee9mbi69cm7.exe

pid	process
4868	RegSvcs.exe
4868	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4868	RegSvcs.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.execmd.exe4usfliof.exeyee9mbi69cm7.exe

description	pid	process	target process
PID 4388 wrote to memory of 3232	4388	d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe	cmd.exe
PID 4388 wrote to memory of 3232	4388	d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe	cmd.exe
PID 4388 wrote to memory of 3232	4388	d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe	cmd.exe
PID 3232 wrote to memory of 208	3232	cmd.exe	cmd.exe
PID 3232 wrote to memory of 208	3232	cmd.exe	cmd.exe
PID 3232 wrote to memory of 208	3232	cmd.exe	cmd.exe
PID 3232 wrote to memory of 328	3232	cmd.exe	4usfliof.exe
PID 3232 wrote to memory of 328	3232	cmd.exe	4usfliof.exe
PID 3232 wrote to memory of 328	3232	cmd.exe	4usfliof.exe
PID 3232 wrote to memory of 4664	3232	cmd.exe	yee9mbi69cm7.exe
PID 3232 wrote to memory of 4664	3232	cmd.exe	yee9mbi69cm7.exe
PID 3232 wrote to memory of 4664	3232	cmd.exe	yee9mbi69cm7.exe
PID 328 wrote to memory of 4868	328	4usfliof.exe	RegSvcs.exe
PID 328 wrote to memory of 4868	328	4usfliof.exe	RegSvcs.exe
PID 328 wrote to memory of 4868	328	4usfliof.exe	RegSvcs.exe
PID 328 wrote to memory of 4868	328	4usfliof.exe	RegSvcs.exe
PID 328 wrote to memory of 4868	328	4usfliof.exe	RegSvcs.exe
PID 4664 wrote to memory of 4568	4664	yee9mbi69cm7.exe	RegSvcs.exe
PID 4664 wrote to memory of 4568	4664	yee9mbi69cm7.exe	RegSvcs.exe
PID 4664 wrote to memory of 4568	4664	yee9mbi69cm7.exe	RegSvcs.exe
PID 4664 wrote to memory of 4568	4664	yee9mbi69cm7.exe	RegSvcs.exe
PID 4664 wrote to memory of 4568	4664	yee9mbi69cm7.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe
"C:\Users\Admin\AppData\Local\Temp\d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b "*.exe"
3⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4usfliof.exe
"4usfliof.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 292
4⤵
- Program crash
PID:3368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe
"yee9mbi69cm7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 292
4⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 328 -ip 328
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4664 -ip 4664
1⤵
PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4usfliof.exe
Filesize
3.4MB

MD5
b154114f2d13496dc9630cac4e707672

SHA1
ade072fea73e4f76c073e17bb75dc2d13b275919

SHA256
72d79fb5cfd43477a78468976fa015486f13504f36315379ccd3ede0e84b3ddb

SHA512
dfd8fef8eea701b017b935b62f99f306a9ba9adfd9a5fe0a5c18346b2e6cc432af62dda2638ded60c5d09b1b53fe8e75d1c5aac4d9f6cac6306a3a3cbbbfb8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4usfliof.exe
Filesize
3.4MB

MD5
b154114f2d13496dc9630cac4e707672

SHA1
ade072fea73e4f76c073e17bb75dc2d13b275919

SHA256
72d79fb5cfd43477a78468976fa015486f13504f36315379ccd3ede0e84b3ddb

SHA512
dfd8fef8eea701b017b935b62f99f306a9ba9adfd9a5fe0a5c18346b2e6cc432af62dda2638ded60c5d09b1b53fe8e75d1c5aac4d9f6cac6306a3a3cbbbfb8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.bat
Filesize
85B

MD5
a1099e439c142789ff2183c18f77cdca

SHA1
f7efcca92b6138c091c926277d5c29dfefe0872e

SHA256
8fd34feb39582f009552d460e8d24539dd00bb1251f2e721277fb3559c998917

SHA512
7bc34150f5662589f6d16803716deb7974c56e4665907bd7e2a4337c6e9397603b3a8d9e4f8f64c5bbb4c948c168843555fcc744f86eb932cddb3d94af6b7cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe
Filesize
5.7MB

MD5
d076d83093cf70d43ae8202cb9603d0d

SHA1
4df9ed4524474c5108453453dcfe837aa148b761

SHA256
f84056220c4d155ccd53c681575df2c05185fdfdf17780a1f3722cc6f10f0c30

SHA512
b7c38277d614dfe5c28dd61d7289c9b3d306e51811df1237ccf8ecb851c9a20692f6fe9641f367b507b87340ad96c8617e95dd60e954bd6d63aa0e4780317310

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yee9mbi69cm7.exe
Filesize
5.7MB

MD5
d076d83093cf70d43ae8202cb9603d0d

SHA1
4df9ed4524474c5108453453dcfe837aa148b761

SHA256
f84056220c4d155ccd53c681575df2c05185fdfdf17780a1f3722cc6f10f0c30

SHA512
b7c38277d614dfe5c28dd61d7289c9b3d306e51811df1237ccf8ecb851c9a20692f6fe9641f367b507b87340ad96c8617e95dd60e954bd6d63aa0e4780317310

Download Submit
memory/4568-176-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4568-181-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4568-178-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4568-177-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4568-156-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4868-153-0x0000000005C20000-0x0000000006238000-memory.dmp

Filesize
6.1MB

Download
memory/4868-447-0x0000000006960000-0x00000000069F2000-memory.dmp

Filesize
584KB

Download
memory/4868-155-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/4868-154-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/4868-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4868-180-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/4868-443-0x0000000006E10000-0x00000000073B4000-memory.dmp

Filesize
5.6MB

Download
memory/4868-157-0x0000000005760000-0x000000000579C000-memory.dmp

Filesize
240KB

Download
memory/4868-456-0x0000000006A00000-0x0000000006A66000-memory.dmp

Filesize
408KB

Download
memory/4868-519-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/4868-604-0x0000000007880000-0x0000000007A42000-memory.dmp

Filesize
1.8MB

Download
memory/4868-613-0x0000000008690000-0x0000000008BBC000-memory.dmp

Filesize
5.2MB

Download
memory/4868-634-0x0000000007730000-0x00000000077A6000-memory.dmp

Filesize
472KB

Download
memory/4868-637-0x00000000077B0000-0x0000000007800000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads