redline | 6ba0530cb54066d2ff66b8d57639542c2f6053f2e3e5cb69e051ab55eadb406f

Analysis

max time kernel
82s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17-09-2023 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setupp.zip
Size

132.8MB
MD5

1b05efdd19f4f3f08225bc2329386a32
SHA1

dac6df0393b94ff4872f231b4304e27d14ac3f4b
SHA256

6ba0530cb54066d2ff66b8d57639542c2f6053f2e3e5cb69e051ab55eadb406f
SHA512

bf5c74121bb82e73de691d256ff0adf0413499f7225d610e67abb703bef30b894cdded1fdc230fc145ae2d554e0b381a34f01e4905ebb7cf6b43bbd41ee3442b
SSDEEP

3145728:qFChK0NJRkBk96UY4wtc1Tv+iq7vfaFBYNnljoJpwl14moVruNxRIIP8g:qFCK3Bz4wK9qbKBQljewEBANxP

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2452-25-0x0000000000400000-0x0000000000442000-memory.dmp	family_redline
behavioral1/memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp	family_redline
behavioral1/memory/2452-29-0x0000000000400000-0x0000000000442000-memory.dmp	family_redline
behavioral1/memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp	family_redline
behavioral1/memory/2452-34-0x0000000000400000-0x0000000000442000-memory.dmp	family_redline
behavioral1/memory/2452-36-0x0000000004720000-0x0000000004760000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
1100	Setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 2452	1100	Setup.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1064	ipconfig.exe
1888	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1100	Setup.exe
1160	7zFM.exe
2452	aspnet_compiler.exe
2452	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1160	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1160	7zFM.exe
Token: 35	1160	7zFM.exe
Token: SeSecurityPrivilege	1160	7zFM.exe
Token: SeDebugPrivilege	1100	Setup.exe
Token: SeDebugPrivilege	2452	aspnet_compiler.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1160	7zFM.exe
1160	7zFM.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1160 wrote to memory of 1100	1160	7zFM.exe	34
PID 1100 wrote to memory of 2076	1100	Setup.exe	35
PID 1100 wrote to memory of 2076	1100	Setup.exe	35
PID 1100 wrote to memory of 2076	1100	Setup.exe	35
PID 1100 wrote to memory of 2076	1100	Setup.exe	35
PID 2076 wrote to memory of 1064	2076	cmd.exe	37
PID 2076 wrote to memory of 1064	2076	cmd.exe	37
PID 2076 wrote to memory of 1064	2076	cmd.exe	37
PID 2076 wrote to memory of 1064	2076	cmd.exe	37
PID 1100 wrote to memory of 2360	1100	Setup.exe	38
PID 1100 wrote to memory of 2360	1100	Setup.exe	38
PID 1100 wrote to memory of 2360	1100	Setup.exe	38
PID 1100 wrote to memory of 2360	1100	Setup.exe	38
PID 2360 wrote to memory of 1888	2360	cmd.exe	39
PID 2360 wrote to memory of 1888	2360	cmd.exe	39
PID 2360 wrote to memory of 1888	2360	cmd.exe	39
PID 2360 wrote to memory of 1888	2360	cmd.exe	39
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41
PID 1100 wrote to memory of 2452	1100	Setup.exe	41

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Setupp.zip
1⤵
PID:1404

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2496

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setupp.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe

Filesize
389.1MB

MD5
0a0d715aba787ffc967b0ec08ca4abc5

SHA1
8a24988c8355a85b39cf348a6e21f3bd527fc1df

SHA256
392d3960bccf8da7688e5f0f59bb3fc326e25b9be8147815b8b23813d668f91d

SHA512
4cf2a673f29808e70e5d6c59e70bad56640be7dfeaf3bb2beb903fa459b1cf65e4918a7a5c882ffc13808bf19ce714d8682df0c6b7bf634b96e7b4994684c35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe

Filesize
488.9MB

MD5
c013f924fe04c61baafb46118f79b54c

SHA1
93c130fc8c3ecbeee9658b9799ba94174e0c1324

SHA256
82251e875c64777065d78aff3bf4e3a00f2257712d92097c2e94bb20047fd829

SHA512
541da64330c46d7ba57622557e697be1dac1fdc6fa0a9e059ffc531c8c04d6df1888672fc0bc66c51317dd827581e63e3475e7c1abb83df8558291f9f4e3fd8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO884A5C17\Setup.exe

Filesize
488.5MB

MD5
adb71e34d1d367498227f12817de6647

SHA1
fc7f00df701122f7036dd4975e45b92e383a1077

SHA256
b12fe37e478296348e0af512d1717a1bd71469baacfe7e74c980d3061b3ea64f

SHA512
4dafc60931a5c411fe14f198345ab7a69f53f01922a0c0af83ee49112205002ce97e34a3696308a5f333d7c11810084787849416be4badd530fbf71de34ee888

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2ED.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB37C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/1100-32-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-15-0x000000000B020000-0x000000000B060000-memory.dmp

Filesize
256KB

Download
memory/1100-16-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/1100-17-0x0000000000EF0000-0x0000000000F3C000-memory.dmp

Filesize
304KB

Download
memory/1100-18-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-19-0x000000000B020000-0x000000000B060000-memory.dmp

Filesize
256KB

Download
memory/1100-12-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-13-0x0000000000F50000-0x0000000001F50000-memory.dmp

Filesize
16.0MB

Download
memory/1100-14-0x0000000000630000-0x000000000068A000-memory.dmp

Filesize
360KB

Download
memory/2452-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-35-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-36-0x0000000004720000-0x0000000004760000-memory.dmp

Filesize
256KB

Download
memory/2452-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-71-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-72-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download