redline | b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775

Analysis

max time kernel
168s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe
Size

1.4MB
MD5

45cee4ec3643349ffdf7395f7b4a5b3f
SHA1

26774d3f71bb03f94588b04e9bd8926fc87c6653
SHA256

b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775
SHA512

eac80cdb3cb0371bd429e7a672257d7015ff7ab70f4d6c56ac4ba8abbe3d6e931441389b031220f8c7fcb2decdf8042f76969442c2e7f2d5d2e5f68e8124a08b
SSDEEP

24576:n5hGigbZWG8Srp651ZFL3XVTLcx9+WrCkF2gNCs46sL3f:n0SYP+cRF2gNlsD

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3652-33-0x0000000000F40000-0x0000000000F9A000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2572 created 3300	2572	Connection.pif	47

Executes dropped EXE 2 IoCs

pid	Process
2572	Connection.pif
3652	jsc.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1020	tasklist.exe
1380	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4344	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif
2572	Connection.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1480	4448	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	89
PID 4448 wrote to memory of 1480	4448	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	89
PID 4448 wrote to memory of 1480	4448	b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe	89
PID 1480 wrote to memory of 768	1480	cmd.exe	91
PID 1480 wrote to memory of 768	1480	cmd.exe	91
PID 1480 wrote to memory of 768	1480	cmd.exe	91
PID 768 wrote to memory of 1020	768	cmd.exe	92
PID 768 wrote to memory of 1020	768	cmd.exe	92
PID 768 wrote to memory of 1020	768	cmd.exe	92
PID 768 wrote to memory of 2964	768	cmd.exe	93
PID 768 wrote to memory of 2964	768	cmd.exe	93
PID 768 wrote to memory of 2964	768	cmd.exe	93
PID 768 wrote to memory of 1380	768	cmd.exe	94
PID 768 wrote to memory of 1380	768	cmd.exe	94
PID 768 wrote to memory of 1380	768	cmd.exe	94
PID 768 wrote to memory of 232	768	cmd.exe	95
PID 768 wrote to memory of 232	768	cmd.exe	95
PID 768 wrote to memory of 232	768	cmd.exe	95
PID 768 wrote to memory of 5100	768	cmd.exe	96
PID 768 wrote to memory of 5100	768	cmd.exe	96
PID 768 wrote to memory of 5100	768	cmd.exe	96
PID 768 wrote to memory of 1212	768	cmd.exe	97
PID 768 wrote to memory of 1212	768	cmd.exe	97
PID 768 wrote to memory of 1212	768	cmd.exe	97
PID 768 wrote to memory of 2688	768	cmd.exe	98
PID 768 wrote to memory of 2688	768	cmd.exe	98
PID 768 wrote to memory of 2688	768	cmd.exe	98
PID 768 wrote to memory of 2572	768	cmd.exe	99
PID 768 wrote to memory of 2572	768	cmd.exe	99
PID 768 wrote to memory of 2572	768	cmd.exe	99
PID 768 wrote to memory of 4344	768	cmd.exe	100
PID 768 wrote to memory of 4344	768	cmd.exe	100
PID 768 wrote to memory of 4344	768	cmd.exe	100
PID 2572 wrote to memory of 3652	2572	Connection.pif	108
PID 2572 wrote to memory of 3652	2572	Connection.pif	108
PID 2572 wrote to memory of 3652	2572	Connection.pif	108
PID 2572 wrote to memory of 3652	2572	Connection.pif	108
PID 2572 wrote to memory of 3652	2572	Connection.pif	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe
  "C:\Users\Admin\AppData\Local\Temp\b882d2fa75dd429d2366009bbe68c3bf3910cc54bce8a1b6e3ec56f8cae11775.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Bbs & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 26762
        5⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Sentence + Taught + Feedback + Tsunami + Grad 26762\Connection.pif
        5⤵
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Sparc + Results 26762\C
        5⤵
        
        PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\27979\26762\Connection.pif
        
        26762\Connection.pif 26762\C
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2572
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:4344
- C:\Users\Admin\AppData\Local\Temp\27979\26762\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\27979\26762\jsc.exe
  2⤵
  - Executes dropped EXE
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27979\26762\C

Filesize
758KB

MD5
36d46255ee659decc167a858f4e9dc30

SHA1
ca38f807567c1e36b6b0b8c88674249653dea471

SHA256
86a5d8d34c89a8fbd3ed3afdde52507c24ec05a361fbe4f6f3627ca1572eacab

SHA512
e4d68ef4d554d5ea497ff438306326948b2c80ee42c1ed16934c45c0b1ebdff3214ebfb1f28945a36b69c4c7d8eff5b05902e5cd7d1683b1a9794c6635a9aa1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\26762\Connection.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\26762\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\26762\jsc.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Bbs

Filesize
13KB

MD5
5d8a2a120af045c8d0aac78c57c03697

SHA1
cbd0f90fefeba76f599ba9ec7f4fc1bbcd3bdb13

SHA256
8b03a9e8437f6f7201b0fc777e8c3629c0aeea041f63ac1b8e70e73717c07fb4

SHA512
ac7e3d3d916053c912e7f2209977e9c12cf8d5efdf02fa482679165ebc2806c4643846d20ad9a2d58a1537389443c2625543721521b8d5a289334e14b3b5f888

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Feedback

Filesize
161KB

MD5
c6cf09534f8ee6daef3149da78c64ba5

SHA1
aaa3dc37dc2dd81e164c4e35c274b676b12ff771

SHA256
c35fee916b97f7e1a1b0715030e407d872cfc894b426b94fabf0babfa58bd142

SHA512
9d625d3c7ad80cc862d06f3ef994f7408a32a0a8bb7d9847d0b077d18e6e46dd9a7d8338ffe966f8e5d7c47c1a0ef9f7d858d268e2388028c3a62841d9262912

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Grad

Filesize
126KB

MD5
ac33b4a176c095a6eca59095316ebe22

SHA1
de7b15757d24a5df589badee3c43342622e318b5

SHA256
0dcf9719f65563766be234ed65ca2f5fb62f28cf42f23709b1de5b8ce6b595e4

SHA512
7d4cb1f56d262304e7a7853825e42f774190e2c5d978dd16a4a2e17824c1452040e885cd731117ff0a94bbe9f205896de401e1ea18d8fee438dd09ef9e80c42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Results

Filesize
307KB

MD5
fedcc23be1cc5f7617bc3ef5e8252d66

SHA1
e5a2c10df5aa4765e968df1394c0fcc9018adfa3

SHA256
4fdb64abc7ad651a4587660e9179bfaafc2a30fe2410b9896e6a7c06eb8acdcf

SHA512
5b8237cd60653d0eb481ec5c3e6da5c56ee2a646797a444c38e24b286ad204e5592fb6a9486e8bb079e2b24ea3f4b19375516aacee2c6dc84b0605f2b18e56b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Sentence

Filesize
242KB

MD5
3dc2a9b76a1d6565091a348e2b1f8751

SHA1
79565e6821e0f4c1a8d28494365d3b3deb354140

SHA256
acf6ace5d4162c30d687204df636013d66167a1a01af56e7c2721fe32a156558

SHA512
ae6861c940bb3609d361e043f73c54882091adb1de34e8217b5787639fb7035e6d358cd2418e1c967c97886193ec9a54c95b9ea9fb681b18a6c682897e24656d

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Sparc

Filesize
451KB

MD5
0fca05071fd14f524b0e9556b8f3984f

SHA1
0c38b11f62e4e34b9bef32f8bbc7eda8fb75af7b

SHA256
dcfadf0620bb02b1c0f053c677dd2021399c8efe0e6e99f3a860a035eab35141

SHA512
2dea8f25b0586fc8cd5f9a406e880ea39476748707ba0c19a038902c181eec228a332ae52b4127b40b6baa8d78bac8cfbe1df50ac531ef34e8bdcda5a00e552d

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Taught

Filesize
185KB

MD5
8a28ac876447f7d287e7a27fbb6275fa

SHA1
555f61875c8e78dd73cc712c881cb282a6004104

SHA256
e51e36c506155139c49d40134a7eb3603965e6b806ce7fe712f518635a9ccbe3

SHA512
d1d98f81a1fc152ff8d982271cc7fea419461730014ce7acd8b94c590c9c548c059048090f1c158317a009e75d2b104b9ebefad9fffd6227022bc60845950384

Download Submit
C:\Users\Admin\AppData\Local\Temp\27979\Tsunami

Filesize
210KB

MD5
6fc8a81dd6e36b53a40101505e77d665

SHA1
96996fb1a6b563d09f4b3a4af1cdb73c7975fef2

SHA256
3c9e80af20f23433ab7c14e7c86fe2bb9e7102692bacccbc7c8e29e8c8a14456

SHA512
00b81ba4c3d69f307b2acaeea32320bf2253068e90b2839586963f4a88fcd903c9cb7fdc039e0ebee5878056db99b35340b64f713c5ade25d3c1d89b59912e69

Download Submit
memory/2572-31-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3652-33-0x0000000000F40000-0x0000000000F9A000-memory.dmp

Filesize
360KB

Download
memory/3652-36-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3652-37-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/3652-38-0x0000000007E00000-0x0000000007E92000-memory.dmp

Filesize
584KB

Download
memory/3652-39-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4448-14-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4448-13-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4448-29-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4448-8-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4448-0-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4448-2-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4448-1-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download