redline | b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe
Size

1.4MB
MD5

45cee4ec3643349ffdf7395f7b4a5b3f
SHA1

26774d3f71bb03f94588b04e9bd8926fc87c6653
SHA256

b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
SHA512

eac80cdb3cb0371bd429e7a672257d7015ff7ab70f4d6c56ac4ba8abbe3d6e931441389b031220f8c7fcb2decdf8042f76969442c2e7f2d5d2e5f68e8124a08b
SSDEEP

24576:n5hGigbZWG8Srp651ZFL3XVTLcx9+WrCkF2gNCs46sL3f:n0SYP+cRF2gNlsD

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2800-29-0x0000000000080000-0x00000000000DA000-memory.dmp	family_redline
behavioral1/memory/2800-34-0x0000000000080000-0x00000000000DA000-memory.dmp	family_redline
behavioral1/memory/2800-32-0x0000000000080000-0x00000000000DA000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2616 created 1212	2616	Connection.pif	11

Executes dropped EXE 2 IoCs

pid	Process
2616	Connection.pif
2800	jsc.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	cmd.exe
2616	Connection.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2776	tasklist.exe
2512	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2524	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2616	Connection.pif
2616	Connection.pif
2616	Connection.pif
2616	Connection.pif
2616	Connection.pif
2800	jsc.exe
2800	jsc.exe
2800	jsc.exe
2800	jsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	2512	tasklist.exe
Token: SeDebugPrivilege	2800	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2616	Connection.pif
2616	Connection.pif
2616	Connection.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2616	Connection.pif
2616	Connection.pif
2616	Connection.pif

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2652	2868	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	28
PID 2868 wrote to memory of 2652	2868	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	28
PID 2868 wrote to memory of 2652	2868	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	28
PID 2868 wrote to memory of 2652	2868	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	28
PID 2652 wrote to memory of 2760	2652	cmd.exe	30
PID 2652 wrote to memory of 2760	2652	cmd.exe	30
PID 2652 wrote to memory of 2760	2652	cmd.exe	30
PID 2652 wrote to memory of 2760	2652	cmd.exe	30
PID 2760 wrote to memory of 2776	2760	cmd.exe	31
PID 2760 wrote to memory of 2776	2760	cmd.exe	31
PID 2760 wrote to memory of 2776	2760	cmd.exe	31
PID 2760 wrote to memory of 2776	2760	cmd.exe	31
PID 2760 wrote to memory of 2736	2760	cmd.exe	32
PID 2760 wrote to memory of 2736	2760	cmd.exe	32
PID 2760 wrote to memory of 2736	2760	cmd.exe	32
PID 2760 wrote to memory of 2736	2760	cmd.exe	32
PID 2760 wrote to memory of 2512	2760	cmd.exe	34
PID 2760 wrote to memory of 2512	2760	cmd.exe	34
PID 2760 wrote to memory of 2512	2760	cmd.exe	34
PID 2760 wrote to memory of 2512	2760	cmd.exe	34
PID 2760 wrote to memory of 3048	2760	cmd.exe	35
PID 2760 wrote to memory of 3048	2760	cmd.exe	35
PID 2760 wrote to memory of 3048	2760	cmd.exe	35
PID 2760 wrote to memory of 3048	2760	cmd.exe	35
PID 2760 wrote to memory of 2540	2760	cmd.exe	36
PID 2760 wrote to memory of 2540	2760	cmd.exe	36
PID 2760 wrote to memory of 2540	2760	cmd.exe	36
PID 2760 wrote to memory of 2540	2760	cmd.exe	36
PID 2760 wrote to memory of 2860	2760	cmd.exe	37
PID 2760 wrote to memory of 2860	2760	cmd.exe	37
PID 2760 wrote to memory of 2860	2760	cmd.exe	37
PID 2760 wrote to memory of 2860	2760	cmd.exe	37
PID 2760 wrote to memory of 2640	2760	cmd.exe	38
PID 2760 wrote to memory of 2640	2760	cmd.exe	38
PID 2760 wrote to memory of 2640	2760	cmd.exe	38
PID 2760 wrote to memory of 2640	2760	cmd.exe	38
PID 2760 wrote to memory of 2616	2760	cmd.exe	40
PID 2760 wrote to memory of 2616	2760	cmd.exe	40
PID 2760 wrote to memory of 2616	2760	cmd.exe	40
PID 2760 wrote to memory of 2616	2760	cmd.exe	40
PID 2760 wrote to memory of 2524	2760	cmd.exe	39
PID 2760 wrote to memory of 2524	2760	cmd.exe	39
PID 2760 wrote to memory of 2524	2760	cmd.exe	39
PID 2760 wrote to memory of 2524	2760	cmd.exe	39
PID 2616 wrote to memory of 2800	2616	Connection.pif	43
PID 2616 wrote to memory of 2800	2616	Connection.pif	43
PID 2616 wrote to memory of 2800	2616	Connection.pif	43
PID 2616 wrote to memory of 2800	2616	Connection.pif	43
PID 2616 wrote to memory of 2800	2616	Connection.pif	43
PID 2616 wrote to memory of 2800	2616	Connection.pif	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe
  "C:\Users\Admin\AppData\Local\Temp\b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Bbs & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 26873
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Sentence + Taught + Feedback + Tsunami + Grad 26873\Connection.pif
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Sparc + Results 26873\C
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\42090\26873\Connection.pif
        
        26873\Connection.pif 26873\C
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2616
- C:\Users\Admin\AppData\Local\Temp\42090\26873\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\42090\26873\jsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\42090\26873\C

Filesize
758KB

MD5
36d46255ee659decc167a858f4e9dc30

SHA1
ca38f807567c1e36b6b0b8c88674249653dea471

SHA256
86a5d8d34c89a8fbd3ed3afdde52507c24ec05a361fbe4f6f3627ca1572eacab

SHA512
e4d68ef4d554d5ea497ff438306326948b2c80ee42c1ed16934c45c0b1ebdff3214ebfb1f28945a36b69c4c7d8eff5b05902e5cd7d1683b1a9794c6635a9aa1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\26873\Connection.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\26873\Connection.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\26873\jsc.exe

Filesize
45KB

MD5
f1feead2143c07ca411d82a29fa964af

SHA1
2198e7bf402773757bb2a25311ffd2644e5a1645

SHA256
8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

SHA512
e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\26873\jsc.exe

Filesize
45KB

MD5
f1feead2143c07ca411d82a29fa964af

SHA1
2198e7bf402773757bb2a25311ffd2644e5a1645

SHA256
8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

SHA512
e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Bbs

Filesize
13KB

MD5
5d8a2a120af045c8d0aac78c57c03697

SHA1
cbd0f90fefeba76f599ba9ec7f4fc1bbcd3bdb13

SHA256
8b03a9e8437f6f7201b0fc777e8c3629c0aeea041f63ac1b8e70e73717c07fb4

SHA512
ac7e3d3d916053c912e7f2209977e9c12cf8d5efdf02fa482679165ebc2806c4643846d20ad9a2d58a1537389443c2625543721521b8d5a289334e14b3b5f888

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Feedback

Filesize
161KB

MD5
c6cf09534f8ee6daef3149da78c64ba5

SHA1
aaa3dc37dc2dd81e164c4e35c274b676b12ff771

SHA256
c35fee916b97f7e1a1b0715030e407d872cfc894b426b94fabf0babfa58bd142

SHA512
9d625d3c7ad80cc862d06f3ef994f7408a32a0a8bb7d9847d0b077d18e6e46dd9a7d8338ffe966f8e5d7c47c1a0ef9f7d858d268e2388028c3a62841d9262912

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Grad

Filesize
126KB

MD5
ac33b4a176c095a6eca59095316ebe22

SHA1
de7b15757d24a5df589badee3c43342622e318b5

SHA256
0dcf9719f65563766be234ed65ca2f5fb62f28cf42f23709b1de5b8ce6b595e4

SHA512
7d4cb1f56d262304e7a7853825e42f774190e2c5d978dd16a4a2e17824c1452040e885cd731117ff0a94bbe9f205896de401e1ea18d8fee438dd09ef9e80c42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Results

Filesize
307KB

MD5
fedcc23be1cc5f7617bc3ef5e8252d66

SHA1
e5a2c10df5aa4765e968df1394c0fcc9018adfa3

SHA256
4fdb64abc7ad651a4587660e9179bfaafc2a30fe2410b9896e6a7c06eb8acdcf

SHA512
5b8237cd60653d0eb481ec5c3e6da5c56ee2a646797a444c38e24b286ad204e5592fb6a9486e8bb079e2b24ea3f4b19375516aacee2c6dc84b0605f2b18e56b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Sentence

Filesize
242KB

MD5
3dc2a9b76a1d6565091a348e2b1f8751

SHA1
79565e6821e0f4c1a8d28494365d3b3deb354140

SHA256
acf6ace5d4162c30d687204df636013d66167a1a01af56e7c2721fe32a156558

SHA512
ae6861c940bb3609d361e043f73c54882091adb1de34e8217b5787639fb7035e6d358cd2418e1c967c97886193ec9a54c95b9ea9fb681b18a6c682897e24656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Sparc

Filesize
451KB

MD5
0fca05071fd14f524b0e9556b8f3984f

SHA1
0c38b11f62e4e34b9bef32f8bbc7eda8fb75af7b

SHA256
dcfadf0620bb02b1c0f053c677dd2021399c8efe0e6e99f3a860a035eab35141

SHA512
2dea8f25b0586fc8cd5f9a406e880ea39476748707ba0c19a038902c181eec228a332ae52b4127b40b6baa8d78bac8cfbe1df50ac531ef34e8bdcda5a00e552d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Taught

Filesize
185KB

MD5
8a28ac876447f7d287e7a27fbb6275fa

SHA1
555f61875c8e78dd73cc712c881cb282a6004104

SHA256
e51e36c506155139c49d40134a7eb3603965e6b806ce7fe712f518635a9ccbe3

SHA512
d1d98f81a1fc152ff8d982271cc7fea419461730014ce7acd8b94c590c9c548c059048090f1c158317a009e75d2b104b9ebefad9fffd6227022bc60845950384

Download Submit
C:\Users\Admin\AppData\Local\Temp\42090\Tsunami

Filesize
210KB

MD5
6fc8a81dd6e36b53a40101505e77d665

SHA1
96996fb1a6b563d09f4b3a4af1cdb73c7975fef2

SHA256
3c9e80af20f23433ab7c14e7c86fe2bb9e7102692bacccbc7c8e29e8c8a14456

SHA512
00b81ba4c3d69f307b2acaeea32320bf2253068e90b2839586963f4a88fcd903c9cb7fdc039e0ebee5878056db99b35340b64f713c5ade25d3c1d89b59912e69

Download Submit
\Users\Admin\AppData\Local\Temp\42090\26873\Connection.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\42090\26873\jsc.exe

Filesize
45KB

MD5
f1feead2143c07ca411d82a29fa964af

SHA1
2198e7bf402773757bb2a25311ffd2644e5a1645

SHA256
8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

SHA512
e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

Download Submit
memory/2616-25-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2800-29-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2800-34-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2800-32-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2800-36-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2800-37-0x0000000000870000-0x00000000008B0000-memory.dmp

Filesize
256KB

Download
memory/2800-38-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-23-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2868-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download