Overview

overview

10

Static

static

3

redline_padding.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    70s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2023 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    redline_padding.exe

  • Size

    441.4MB

  • MD5

    e722c2c76497ed2af3403a920d9fccab

  • SHA1

    1f1bc1edf12728647d606866144200b9c84c4301

  • SHA256

    1329df01ef709c74462947fe5c950ac7b5b374f65b0c2f7f558a3e8299a5d7e3

  • SHA512

    e588c0ff6b68892f990d32f5c9deb4836f5e63b664c6710d7e629b4b9b2b091ad1d25887218c957b7c9d040e4e86a45ceab898c673b75d62f6063a1a8d46459c

  • SSDEEP

    6144:jX0F86lue1jWWIZ5oEbMDfJnYp/3Nn28Y4naKNJGA+JjqfO+m6HVn5S:jzdZ5oc0dg/Nns4naqJGZJjqG+RV8

Score
10/10
redlineytinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

yt

C2

65.109.161.165:6997

Attributes
  • auth_value

    c85b149d6d3359b3fe4dd1dfcc5864e8

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\redline_padding.exe
    "C:\Users\Admin\AppData\Local\Temp\redline_padding.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4620
    • C:\Users\Admin\AppData\Local\Temp\bin do.exe
      "C:\Users\Admin\AppData\Local\Temp\bin do.exe"
      2⤵
      • Executes dropped EXE
      PID:4668
  • C:\Windows\system32\launchtm.exe
    launchtm.exe /2
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\System32\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe" /2
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bin do.exe
    Filesize

    3KB

    MD5

    43c14a07b0a83cb0ade9f7da7b0ca394

    SHA1

    79d457fc5c171c3677c50d19e7df3baf5f1311a8

    SHA256

    3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

    SHA512

    9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bin do.exe
    Filesize

    3KB

    MD5

    43c14a07b0a83cb0ade9f7da7b0ca394

    SHA1

    79d457fc5c171c3677c50d19e7df3baf5f1311a8

    SHA256

    3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

    SHA512

    9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bin do.exe
    Filesize

    3KB

    MD5

    43c14a07b0a83cb0ade9f7da7b0ca394

    SHA1

    79d457fc5c171c3677c50d19e7df3baf5f1311a8

    SHA256

    3069063f04fc8c45fc2c84743a085bcfcbe2df9642c0518a1a185549ab9dfc36

    SHA512

    9bfefb852eec35916aefe50d6a50731b2fbf5eb87f6cb64d2fc3d4b8e86107b2687d75a5ed169972a8574f1df72f21336ccd427446519edcb2cc65c75e025a0c

    Download Submit
  • memory/1416-134-0x0000000005190000-0x00000000051A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1416-133-0x0000000000720000-0x00000000007CE000-memory.dmp
    Filesize

    696KB

    Download
  • memory/4620-157-0x0000000006BE0000-0x0000000007184000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4620-161-0x0000000006950000-0x0000000006B12000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4620-140-0x00000000054F0000-0x0000000005500000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4620-148-0x0000000005500000-0x000000000553C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4620-138-0x0000000005610000-0x000000000571A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4620-137-0x0000000005B20000-0x0000000006138000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4620-162-0x0000000007DB0000-0x00000000082DC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4620-155-0x00000000057E0000-0x0000000005856000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4620-156-0x0000000005900000-0x0000000005992000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4620-135-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4620-158-0x0000000005AA0000-0x0000000005B06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4620-159-0x00000000054F0000-0x0000000005500000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4620-160-0x0000000006730000-0x0000000006780000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4620-141-0x0000000004F20000-0x0000000004F32000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4668-153-0x0000000000720000-0x0000000000728000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4672-164-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-166-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-165-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-170-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-172-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-171-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-173-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-174-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-175-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4672-176-0x0000018D7B660000-0x0000018D7B661000-memory.dmp
    Filesize

    4KB

    Download