redline | ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcaec7f383b4d81d1b318ee

Analysis

max time kernel
117s
max time network
137s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-10-2023 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe
Size

1.2MB
MD5

cd900bad4b7376e0ec9efe7b6b5b656f
SHA1

69a757cfe9785e95ca429d9c18264c61215ce5b5
SHA256

ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcaec7f383b4d81d1b318ee
SHA512

f926c91f9401faf14a36aad3ab585725991e4b5c09cd72828e5a21dd1212d03340a07e8ed978940b2dc04efc4d81fe57fef530f19818552809d4ccdc11179229
SSDEEP

6144:XZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy62plUFsYM:pANwRo+mv8QD4+0V162gzM

Score

10^/10

redline 6246893512_99 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

6246893512_99

https://pastebin.com/raw/8baCJyMF

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
2908	setup_1696682515.396641.exe

Loads dropped DLL 4 IoCs

pid	Process
1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe
2908	setup_1696682515.396641.exe
2908	setup_1696682515.396641.exe
2908	setup_1696682515.396641.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\1\1\setup_1696682515.396641.exe	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2908	setup_1696682515.396641.exe
2908	setup_1696682515.396641.exe
2908	setup_1696682515.396641.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	setup_1696682515.396641.exe
Token: SeRestorePrivilege	2908	setup_1696682515.396641.exe
Token: SeBackupPrivilege	2908	setup_1696682515.396641.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31
PID 1704 wrote to memory of 2908	1704	ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe	31

C:\Users\Admin\AppData\Local\Temp\ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe
"C:\Users\Admin\AppData\Local\Temp\ef0a4f73c51f2a14eeaac3d6db1b9a016e22afb50dcae.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\1\1\setup_1696682515.396641.exe
  "C:\Program Files (x86)\1\1\setup_1696682515.396641.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
179.5MB

MD5
8712e72653c14f7e17d03025da1a78f8

SHA1
50118e4757041fc5805ed0cb92d8115f55aca833

SHA256
2cb054ac3cbf5e12b98df0d7477a3a975b7690fee0428caaad95a8efa09f2378

SHA512
a1e151897c46ce69a42a1ce5ca2eb8d02c16bb6e0f965ee22b896d600815de7e1dc5d5cbe47e18a2f77ce4d3506397983444ef220c72fd3957e0d5078df1c671

Download Submit
C:\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
178.8MB

MD5
97a5cd5a5ae22c07f01485cbfb4517db

SHA1
2c84ceeeda246d5947fce66d19f884fded573544

SHA256
75672a9c6c2ca0efc8554d4a394984f60431f39cc087993847db7c0c5270df38

SHA512
a724b34866552b459e6fd4fffee43fe9b3913c5baac82edd5f99e6b8865595404d2f8cd759490da8963925ffadc6db796c757a7e845f1ffd7953e071fff91d68

Download Submit
C:\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
179.2MB

MD5
df51bbf414318e5fe29ea0d5bae7294c

SHA1
6938d38e698ddd54679ec5fe6dcbf01276490cc6

SHA256
dadf232cb6486cdcfab351341f250a76ce93117776f51a7b3d6743206439e945

SHA512
860a7afbc3624dceda031fcefd5c593a7b916ace3be5a9a21e39d5a5a4dd1436009ca74c0bc8585e5ae156f8488a6fee0d56e2da3c85379f841d08645052fccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar321.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
181.2MB

MD5
d294e976a06825114a0e593724043288

SHA1
9bcd0b6d30d2ac3eec20096b2c36a3bd7e417dc1

SHA256
f4297617c76b78b308345f27edb39f9ba83b990d2b4dc73e11081ef20b3d270f

SHA512
6fdae7eacfb9d56473c86a5856cf70e760cc70d51ac1db7e19cf6007360211897ebdb52a5c4b56f4391273f0088c92476c6917eae85ba8d589518c9cdee408d7

Download Submit
\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
180.6MB

MD5
794bdafd01e01b46156b86659b4478a1

SHA1
fc1d2a930f6acefe4602c57e0f8e669675e32ded

SHA256
77b3d28a3175ea42f0ccfb8e1ea68379c7bdf77dc332f3278379c37e0cecb31f

SHA512
463ce795d4dfb75ce47dbadcea7db70a714a91934b6facf81cb78aa7a4d66fcb8058c50548e88cbd3763b7f3ac4f44f49c46d9123120341e126a472f4b0cc31a

Download Submit
\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
176.4MB

MD5
290d05ee91822bd827d10a425554d6e5

SHA1
54bfdf4fc94022680d472305c001c29ede58c6ea

SHA256
941a1190bbcbe4be33eec21d238553d11d0536b1d2ea384c3f38b6069730f3cf

SHA512
7ed3b593cafbfe4e280eab558ca64c1cb7e9a598624895ba35e30be20ec449559397706a6e81fbf939847e028da12bfe94b4d76664869e0ea7b27f266c4a36bf

Download Submit
\Program Files (x86)\1\1\setup_1696682515.396641.exe

Filesize
180.9MB

MD5
45d3a267538dd3b4daa447644c423e1a

SHA1
3a9e3105f671820f7fc1d96718553a93aeeb61b1

SHA256
0e0dadaaba161302e17a902359da823affe9f3549e0b1c89e3e55fea271d1b84

SHA512
7565edab6d33f2496e6582c6b0e9fa45f89adba9b091b5e7abf2355c0ab4c433ef9e32d9f5d0865d59e2ad0b3789de8ad0e1e45b3d0f99c52d73a227cb076aa0

Download Submit
memory/1704-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-25-0x00000000005C0000-0x00000000005DE000-memory.dmp

Filesize
120KB

Download
memory/2908-24-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download