redline | 2e283cb87bbd79191ea892566e255678735e0a9718e3fde91dc448d822a1a9bb

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2023 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000a00000001434a-94.exe
Size

173KB
MD5

cd7c2749cc45759a36d24dfd2d76ea29
SHA1

1c35daa6fa468870547c169e7fa111eeb7b1a9c3
SHA256

2e283cb87bbd79191ea892566e255678735e0a9718e3fde91dc448d822a1a9bb
SHA512

7433e89d593196c61d99da0325cc1f99dee5a90d4ce4802be32d769812f8b8c71110e410f740ae5814a338faef9708d06da28c4d17f842f3acdd788b8f10cfe8
SSDEEP

3072:gciW+Zh8+WtcTIwxNm4/Lk/DWjAn8e8hJ:gciv7IJT/DWjAn

Score

10^/10

redline nasa infostealer

Malware Config

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F1D0F847-84D0-426C-B38E-3FC2A10C8278}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1832	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0x000a00000001434a-94.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a00000001434a-94.exe"
1⤵
PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3336

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsuE966.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b9ff44098c17d13f8382e8ff5b4bd1a7

SHA1
b6f608041e657a91f24fd2c8168b65046061e510

SHA256
dd3da52a4a7c7445ba4696d02242cdb685610024ad090437e66c4e8e2dc651c7

SHA512
abce1d3bda70773e473eac536c897df82f3f5e771efeee9ba3377ef7168aec45b4641583b82827dd097af48521ef0be9186e22f9b72f5ceca369babc389136c5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f990d7b8d074696bc1db0ac5835cf5be

SHA1
10468c119b8a25a3b4b290427208d7c0d51ff9c2

SHA256
39cf1b4ac076562c835ea9ad83624969325c9fea3455b3e9454434234aa1a48b

SHA512
0ec20badb91c5a8b963470415270161f75d94bf606441fa55db318a1b181c954b6efecd5a8a841f363b2a1621dea5c324d5ca172ed54dde452af361e5792fce7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
611837555617d69d4b629b608157abb1

SHA1
e232c7a669255beb9af479a275edcf5336b3c134

SHA256
7640dbce998456096823f48f48e635dda74fc2010eaee79189e065a475264e91

SHA512
69c05899ac371fe21be1d31f3f9c0030fa8c700403e402bf1fdb472f311147b95e2d4e5b5038e2db9b732909f6804eaee1ed34c2a1e38c5d0fc8284e6f5327ff

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f13fcc41117acb5fab8887fcf151ab8c

SHA1
e75c3773683170ba9b3669d4784461b27319ae82

SHA256
1944b5a6c1e0fe0462508002df6924517efd492be2e27d76424a3df3c313ffe3

SHA512
94c71d6ed91ede980ea1cf3cf6c898250e9d7684261cba8ff7b3eadea849eeb36e1592b6dc0f73a0bf7d76df3cba26784b6a15cb939f2bfb7885a5b0896c1804

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
1ee8af70557c494b54fe2d706be91cfa

SHA1
3e031e4b450e3a121071ac072b9d3ae9d093b746

SHA256
9fad75574b3af8940f0b7eec2985a6634a9469cc20d3cfc24484c880f5de0524

SHA512
bfb65403b9533d961a6b3c85c030d1c940213f346d3af520c59ffdf2feac66fff7b241b12dce2a26dc7b856de71a4f796bd0c1d9b95d1525b8b7bb826380f32e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a6b0319c34f1636612119907cefc68ec

SHA1
f72c434ae5d62d694103147acbdbbb55b0eb9373

SHA256
3b58fc75e5270f514c8912c55036751a0c311ce780a200acc07f44859905e3d4

SHA512
609e7170722f0d7fa62a4fbf0a3d0e356bfa813ec8e7f702de404719e1218ded5c29d7325d785b86517ae30d61e51ab9147620b473a609d5af1f0dac04675509

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
02a81868aa0e13c2b3e10d9117c8424c

SHA1
d178c09b9eb8c529e9440b1381acf679d5c81a5e

SHA256
dfa0a00f5ccd56dbf6c4a93e6cb7114131562528ed4a78a458df7c202d1e3668

SHA512
113d1a6acf5acd2423a25a1b3bdc5aad6737e1cc2640f9095319ac3e8c84e80fa33c0a929b2fbdbdebc1e4fe21e66fd7a491a8079f92ddc7d5b9552069bb8ca9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
03e30331802042c54226f3fd47c45c06

SHA1
6829e67d9b9b41dbcc28cc8a6fc26298fc901d3a

SHA256
ca07073abb63d6fa2641ffc1a0fac03acad5c41f5583d5091bd8f4e208836fbf

SHA512
0d86f5841670873d6e52f06fd9909dd5980da78d4d156665f5167f5300e74c5535ed7d4ab06e040c3a3c74fdc11fc92e5d52bf957cdf82f34654955b0fd990db

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
de2db76e50519baac164bf6ef7b5058e

SHA1
e7852854d40370ee938b481c27b89b1bcccd1d45

SHA256
6c7caf1f12b76a00694ffcb3c0e0c353ac96e6538944c48dc57f70eb59fd9823

SHA512
88e0a21ffc02455a4d39e2477ed4cf8edeb165a48df24310e47ef1d992c8712dd47f3d40e530f14fb21c9027a7f97c91d1ca951f9d852d21346a2193268bcb2a

Download Submit
memory/1832-477-0x000001F7188A0000-0x000001F7188B0000-memory.dmp

Filesize
64KB

Download
memory/1832-496-0x000001F7189A0000-0x000001F7189B0000-memory.dmp

Filesize
64KB

Download
memory/1832-516-0x000001F720E50000-0x000001F720E51000-memory.dmp

Filesize
4KB

Download
memory/1832-515-0x000001F720D40000-0x000001F720D41000-memory.dmp

Filesize
4KB

Download
memory/1832-514-0x000001F720D40000-0x000001F720D41000-memory.dmp

Filesize
4KB

Download
memory/1832-512-0x000001F720D10000-0x000001F720D11000-memory.dmp

Filesize
4KB

Download
memory/3808-138-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3808-135-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/3808-133-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/3808-136-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/3808-137-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/3808-141-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/3808-139-0x00000000054B0000-0x00000000054EC000-memory.dmp

Filesize
240KB

Download
memory/3808-140-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3808-134-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download