Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://95.214.27.98/...

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2023 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://95.214.27.98/lend/redline.exe

Score
10/10
redlineredlinediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

Redline

C2

85.31.54.183:18435

Attributes
  • auth_value

    50837656cba6e4dd56bfbb4a61dadb63

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://95.214.27.98/lend/redline.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:796 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1148
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\redline.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\redline.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\redline[1].exe
    Filesize

    145KB

    MD5

    2d0d9f29bca70bdde306f8b5188117ce

    SHA1

    a4a04353801aee05a4e90dd1ddbd395c2830ea3e

    SHA256

    71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

    SHA512

    a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\redline.exe
    Filesize

    145KB

    MD5

    2d0d9f29bca70bdde306f8b5188117ce

    SHA1

    a4a04353801aee05a4e90dd1ddbd395c2830ea3e

    SHA256

    71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

    SHA512

    a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\redline.exe.f0g2h0e.partial
    Filesize

    145KB

    MD5

    2d0d9f29bca70bdde306f8b5188117ce

    SHA1

    a4a04353801aee05a4e90dd1ddbd395c2830ea3e

    SHA256

    71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

    SHA512

    a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

    Download Submit
  • memory/5104-148-0x0000000005840000-0x0000000005850000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5104-151-0x0000000006330000-0x0000000006396000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5104-146-0x0000000005790000-0x00000000057A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/5104-147-0x00000000057F0000-0x000000000582C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/5104-144-0x0000000005D10000-0x0000000006328000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/5104-149-0x00000000068E0000-0x0000000006E84000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/5104-150-0x0000000005C60000-0x0000000005CF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/5104-145-0x0000000005860000-0x000000000596A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/5104-152-0x0000000007060000-0x0000000007222000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/5104-153-0x0000000005840000-0x0000000005850000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5104-154-0x0000000007760000-0x0000000007C8C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/5104-155-0x0000000007230000-0x00000000072A6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/5104-156-0x0000000006FC0000-0x0000000007010000-memory.dmp
    Filesize

    320KB

    Download
  • memory/5104-143-0x0000000000DD0000-0x0000000000DFA000-memory.dmp
    Filesize

    168KB

    Download