redline | 6ba0530cb54066d2ff66b8d57639542c2f6053f2e3e5cb69e051ab55eadb406f

General

Target

Setupp.zip
Size

132.8MB
MD5

1b05efdd19f4f3f08225bc2329386a32
SHA1

dac6df0393b94ff4872f231b4304e27d14ac3f4b
SHA256

6ba0530cb54066d2ff66b8d57639542c2f6053f2e3e5cb69e051ab55eadb406f
SHA512

bf5c74121bb82e73de691d256ff0adf0413499f7225d610e67abb703bef30b894cdded1fdc230fc145ae2d554e0b381a34f01e4905ebb7cf6b43bbd41ee3442b
SSDEEP

3145728:qFChK0NJRkBk96UY4wtc1Tv+iq7vfaFBYNnljoJpwl14moVruNxRIIP8g:qFCK3Bz4wK9qbKBQljewEBANxP

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1924-21-0x0000000000400000-0x0000000000442000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
3468	Setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4948	ipconfig.exe
3884	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4280	7zFM.exe
Token: 35	4280	7zFM.exe
Token: SeSecurityPrivilege	4280	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4280	7zFM.exe
4280	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3468	4280	7zFM.exe	95
PID 4280 wrote to memory of 3468	4280	7zFM.exe	95
PID 4280 wrote to memory of 3468	4280	7zFM.exe	95
PID 3468 wrote to memory of 4140	3468	Setup.exe	100
PID 3468 wrote to memory of 4140	3468	Setup.exe	100
PID 3468 wrote to memory of 4140	3468	Setup.exe	100

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Setupp.zip
1⤵
PID:920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4088

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setupp.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\7zO8B0EF3F8\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8B0EF3F8\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    PID:8
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:4948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:1924

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\1f74f6b7102a423c8791567c2f925d2b /t 4324 /p 4280
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8B0EF3F8\Setup.exe

Filesize
306.7MB

MD5
f45df155dea6f923023dd7395ef1f37d

SHA1
ed598665dd9035363b15c236a95f693cbba602f8

SHA256
bd4e73b1392f4513422e4ff570cfd766669fbf10edeb25d6699b90f4c08cf19a

SHA512
947ed7f765761e7a9070d01b81e15d5bfc40386194223d3c595208e9fc0a96efb71c55f44b4454f8820d0e4593f6b966c892528973dd5ab0fba4bfac8f16343b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8B0EF3F8\Setup.exe

Filesize
301.2MB

MD5
9d10d61b1c7e6c028feb693fe863e12a

SHA1
32d418b1ca1cd0aa542688a8e67eae60e4539035

SHA256
7e5ca1128a7ca8368e5f9ae6c194407736e80d8447f1fce6ded2b7beba7da0fa

SHA512
0c01468f9be0204200196863808465bbcb08e90ae65f543cfb34e02e4532b81237436818f7daaf9a54490dd4b2d64cc26cf487e95fb8236ff2c892b6445ece91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8B0EF3F8\Setup.exe

Filesize
493.2MB

MD5
b16f1d822aebc6113e49e0c240a2e45f

SHA1
4f7ed5e9c984b054cabccab57382f2d222324b9a

SHA256
5ca3cf88bf4a8730104be100f6beefe99a58c758744c0f6c142b90cfce7181cc

SHA512
eda6e72d110e1119147e87411c47af4612353e3630babe88b9028760c4ee4cbdc374b881c911513991fabf0b0fa5593e027fcf02cdbdd4edd437ffd90a852ddf

Download Submit
memory/1924-33-0x0000000006C00000-0x000000000712C000-memory.dmp

Filesize
5.2MB

Download
memory/1924-32-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1924-35-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1924-34-0x00000000066D0000-0x0000000006736000-memory.dmp

Filesize
408KB

Download
memory/1924-37-0x0000000006A80000-0x0000000006AF6000-memory.dmp

Filesize
472KB

Download
memory/1924-28-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1924-31-0x0000000006500000-0x00000000066C2000-memory.dmp

Filesize
1.8MB

Download
memory/1924-36-0x0000000006960000-0x00000000069F2000-memory.dmp

Filesize
584KB

Download
memory/1924-30-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/1924-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-23-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/1924-29-0x0000000006220000-0x000000000625C000-memory.dmp

Filesize
240KB

Download
memory/1924-25-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/1924-26-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/1924-27-0x00000000051B0000-0x00000000052BA000-memory.dmp

Filesize
1.0MB

Download
memory/3468-16-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3468-24-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3468-20-0x000000000BCB0000-0x000000000BCC0000-memory.dmp

Filesize
64KB

Download
memory/3468-19-0x000000000BEE0000-0x000000000BF2C000-memory.dmp

Filesize
304KB

Download
memory/3468-18-0x000000000BE90000-0x000000000BED8000-memory.dmp

Filesize
288KB

Download
memory/3468-17-0x000000000BCB0000-0x000000000BCC0000-memory.dmp

Filesize
64KB

Download
memory/3468-15-0x000000000BD30000-0x000000000BD8A000-memory.dmp

Filesize
360KB

Download
memory/3468-14-0x000000000C1D0000-0x000000000C774000-memory.dmp

Filesize
5.6MB

Download
memory/3468-13-0x0000000000E90000-0x0000000001E90000-memory.dmp

Filesize
16.0MB

Download
memory/3468-12-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads