redline | 09390304176d930c2ff463be7537b7134c74a39ddd13030642d0cb4956cc6d15

Analysis

max time kernel
143s
max time network
177s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
14-03-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A u r о r a X/A u r о r a X.exe
Size

715KB
MD5

f476fc8e39528472df2b1ab6c5a469e2
SHA1

4d2e57a77b87b99ddcc5369d5fe98e5bac6856f4
SHA256

b245a9e880b92b5525233c4a8cdb8e4d1cda15c7e1a4a6ca7ee99d97cf51488a
SHA512

88c800a78f4ee407afd88ef8ef1e82b4b1217af6e3631edb6b7c6d99364c49417036634204f5f197ef0b8111637468e6cbecc3c2ef2c9d490e89d0a9ada7cce7
SSDEEP

12288:YNDg1jvzGKeIa4lux1aDtHQxkWJyhKjaUyXBjMCe/0k0QQKjIL6:YNqvGSa4lL1Qai3ydm/0jwIL6

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1576-29-0x0000000001300000-0x000000000135C000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Present.pif

description pid process target process

PID 4040 created 3328 4040 Present.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Present.pifRegAsm.exe

pid process

4040 Present.pif
1576 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1728 tasklist.exe
3496 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2800 PING.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Present.pifRegAsm.exe

pid process

4040 Present.pif
4040 Present.pif
4040 Present.pif
4040 Present.pif
4040 Present.pif
4040 Present.pif
4040 Present.pif
4040 Present.pif
1576 RegAsm.exe

description	pid	process	target process
PID 4040 created 3328	4040	Present.pif	Explorer.EXE

pid	process
4040	Present.pif
1576	RegAsm.exe

pid	process
1728	tasklist.exe
3496	tasklist.exe

pid	process
2800	PING.EXE

pid	process
4040	Present.pif
4040	Present.pif
4040	Present.pif
4040	Present.pif
4040	Present.pif
4040	Present.pif
4040	Present.pif
4040	Present.pif
1576	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1728	tasklist.exe
Token: SeDebugPrivilege	3496	tasklist.exe
Token: SeDebugPrivilege	1576	RegAsm.exe
Token: SeBackupPrivilege	1576	RegAsm.exe
Token: SeSecurityPrivilege	1576	RegAsm.exe
Token: SeSecurityPrivilege	1576	RegAsm.exe
Token: SeSecurityPrivilege	1576	RegAsm.exe
Token: SeSecurityPrivilege	1576	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Present.pif

pid process

4040 Present.pif
4040 Present.pif
4040 Present.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Present.pif

pid process

4040 Present.pif
4040 Present.pif
4040 Present.pif

pid	process
4040	Present.pif
4040	Present.pif
4040	Present.pif

pid	process
4040	Present.pif
4040	Present.pif
4040	Present.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

A u r о r a X.execmd.exePresent.pif

description	pid	process	target process
PID 2172 wrote to memory of 2332	2172	A u r о r a X.exe	cmd.exe
PID 2172 wrote to memory of 2332	2172	A u r о r a X.exe	cmd.exe
PID 2172 wrote to memory of 2332	2172	A u r о r a X.exe	cmd.exe
PID 2332 wrote to memory of 1728	2332	cmd.exe	tasklist.exe
PID 2332 wrote to memory of 1728	2332	cmd.exe	tasklist.exe
PID 2332 wrote to memory of 1728	2332	cmd.exe	tasklist.exe
PID 2332 wrote to memory of 4324	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 4324	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 4324	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 3496	2332	cmd.exe	tasklist.exe
PID 2332 wrote to memory of 3496	2332	cmd.exe	tasklist.exe
PID 2332 wrote to memory of 3496	2332	cmd.exe	tasklist.exe
PID 2332 wrote to memory of 680	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 680	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 680	2332	cmd.exe	findstr.exe
PID 2332 wrote to memory of 5084	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 5084	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 5084	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 3340	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 3340	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 3340	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 4652	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 4652	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 4652	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 4040	2332	cmd.exe	Present.pif
PID 2332 wrote to memory of 4040	2332	cmd.exe	Present.pif
PID 2332 wrote to memory of 4040	2332	cmd.exe	Present.pif
PID 2332 wrote to memory of 2800	2332	cmd.exe	PING.EXE
PID 2332 wrote to memory of 2800	2332	cmd.exe	PING.EXE
PID 2332 wrote to memory of 2800	2332	cmd.exe	PING.EXE
PID 4040 wrote to memory of 1576	4040	Present.pif	RegAsm.exe
PID 4040 wrote to memory of 1576	4040	Present.pif	RegAsm.exe
PID 4040 wrote to memory of 1576	4040	Present.pif	RegAsm.exe
PID 4040 wrote to memory of 1576	4040	Present.pif	RegAsm.exe
PID 4040 wrote to memory of 1576	4040	Present.pif	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\A u r о r a X\A u r о r a X.exe
"C:\Users\Admin\AppData\Local\Temp\A u r о r a X\A u r о r a X.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Tv Tv.bat & Tv.bat & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:4324

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c md 30331
4⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 30331\Present.pif + Summary + Impact + Ray + Smoke + Prevention 30331\Present.pif
4⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Beat + Turtle + Hurricane 30331\u
4⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\30331\Present.pif
30331\Present.pif 30331\u
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2800

C:\Users\Admin\AppData\Local\Temp\30331\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\30331\RegAsm.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30331\Present.pif
Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\30331\RegAsm.exe
Filesize
63KB

MD5
42ab6e035df99a43dbb879c86b620b91

SHA1
c6e116569d17d8142dbb217b1f8bfa95bc148c38

SHA256
53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

SHA512
2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\30331\u
Filesize
721KB

MD5
2ad3c442ab0a4f154223e1776c26ba74

SHA1
4c11ac6a557fb29d863564136963797e4e7af7c3

SHA256
5dd99ff84144d4e252833cd468c97928647bb47d53d68e9978f77c8f95765952

SHA512
37fd383135f8d48ab16911ea2d1ab05b6f7883fc246150129bef5afd25e80100ef8ce90929d72248eb5b0279eb293f63ec02c9d5cc5189a31d38ad40c70be27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beat
Filesize
286KB

MD5
032357703b5ce3baf1c1c8e2cfbecd53

SHA1
d2fd7b21dde1ffe42c541c7077a04f5b7c0a05ea

SHA256
735cda19d881ee2c28101d09414cfb873ba17587f77a7fac24125da18e4afebe

SHA512
2476fe332260ddff35d27c6fc29d150510c9828f79b27933854b4282653c2956807072fe99dcbe8fa9c5aedda1e6a219887d2427bc0eaf9f1837fcdb2d9f6299

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hurricane
Filesize
174KB

MD5
35bafb2670374b40e7565d2375a0398e

SHA1
408588981f40afd9b9cde22b1730a9b0b6c786da

SHA256
589b656a6b34233fb305bc1be6bcdedb821f9efbbd2dd2089e1a93196b0daa19

SHA512
11d868d3ba9a7156d12d1794951ded13d3cab7e93aa46e8fa73df2bcfdf820c75b8f4c2e0b90a1aae871cef591b245279db88314cabc4b8f3ad11198f248a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impact
Filesize
109KB

MD5
cb653da94140e5c70e9c86e7fbda1d29

SHA1
36c4a6955ac0b7fa890b65c66b5f3f14087dc978

SHA256
ccf96df9859615a179ae7b975b0130ff28ff869b1289c0cd963ed2236638708b

SHA512
6f35ff9fd752d077d92c66ad147ea3c449e9dc60a2cf762da5991b8f25afafa130af6ae0395c0777af94b54079a6a1dbeba744c475e0b7e72704d42216d86877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prevention
Filesize
56KB

MD5
81d88021025188b208e3e5bee870a35f

SHA1
167d2b860097a9baccd09ed41e8c922065c42ba9

SHA256
0df0214c701b1ee01d73b37174835c06674e3e509a31d26e2cb8b4ad78286314

SHA512
80b2b1c7ca92af39bd4633ed8cb86d13257e24c0750d841cc5169f331a9b77b263b68c62cd99a2c198fd07d3ef70ab3385749e42defe9a6e25c5cc98b338b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ray
Filesize
233KB

MD5
8f5dc8c2edd6d31892833f02c91e06d8

SHA1
3aa7a22e9c2b9ef55f6ab8fdbd871d905e693e81

SHA256
177c7d6763739c7bd54cd62270a1a9e28560a1ec0dc3bc1d88ecd1d6e4a9e15f

SHA512
c4e7feedad4d22356fd8aea8ae593ce40dd28e540cdb5162d1c0f8300bfaa22a05202cb91eb3eb4f37724008b3d9df966e58dbea0d76e66c0e5de8410a2a3daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smoke
Filesize
266KB

MD5
cecbfa5f9956a5c0e60933b58288c280

SHA1
715c43aae2eed1836e459bff9717ab97494704d8

SHA256
bd6a32bb4829a271c4ae9f7c6dbffd920cb22865ed3bf356eddd9df596d99f7d

SHA512
95dbba9961dd8411acafc04b2393f968d4544a5171a632632c0f114813f71498ff9033ba45f4b7c34afd4c6208f1349606b7548b1e125d8b38f77e508927ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Summary
Filesize
208KB

MD5
c4b889b1379e2b3eeb956553b719b22a

SHA1
678cd18741c398010aec9f59233d472644d0079f

SHA256
c7a139b90d5d6c0a25d636b76fc32ebeeb06c426595063c925c383cf4bb6445d

SHA512
2611b3b3ff0a0198e08375ac5614427c8e97e796b3e677430f13fb0993645fc80ba610f9e68c6418d6d859349af84372fe000ae26bf2e0ec605880d03c61a86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Turtle
Filesize
261KB

MD5
7a6ca99cafcf2598d131d5d3e9d5cf65

SHA1
360e087c9ba4a2cbb9ceec9401bc4d784430bc95

SHA256
ef13ed4da127b37926ae39c90b1538facc29468d9a92be8d5c23f8e2042bf492

SHA512
7c43b2d52fe70bf7608cb695bb68adde625daab0098b303382f0d66e05016b3c26cb9a717e82425c9744bbb3f8dfa79834554ca20e008d0b1af02fed4f0aded3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tv
Filesize
15KB

MD5
b679ce0e773bb53d98bcca4938135ecf

SHA1
b9607174cdc497bc424ed70402ac217f765244b0

SHA256
9b032e9f6b36d85aed8ae30c2f1212096cc0fb48ca65f13ef11cee6ecf295839

SHA512
c8492ad5a312108d266ea043461ffb8664b7a46dec83c270c924b7618215f7b2a882b1ab6d0223d6296b5105022b5659ff75837626b3fdd032caa93d1b21f4b2

Download Submit
memory/1576-33-0x0000000005F40000-0x00000000064E6000-memory.dmp

Filesize
5.6MB

Download
memory/1576-38-0x0000000008720000-0x000000000882A000-memory.dmp

Filesize
1.0MB

Download
memory/1576-49-0x0000000073720000-0x0000000073ED1000-memory.dmp

Filesize
7.7MB

Download
memory/1576-32-0x0000000073720000-0x0000000073ED1000-memory.dmp

Filesize
7.7MB

Download
memory/1576-47-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/1576-34-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/1576-35-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/1576-36-0x0000000005910000-0x000000000591A000-memory.dmp

Filesize
40KB

Download
memory/1576-37-0x0000000008BE0000-0x00000000091F8000-memory.dmp

Filesize
6.1MB

Download
memory/1576-29-0x0000000001300000-0x000000000135C000-memory.dmp

Filesize
368KB

Download
memory/1576-39-0x0000000008660000-0x0000000008672000-memory.dmp

Filesize
72KB

Download
memory/1576-40-0x00000000086C0000-0x00000000086FC000-memory.dmp

Filesize
240KB

Download
memory/1576-41-0x0000000008830000-0x000000000887C000-memory.dmp

Filesize
304KB

Download
memory/1576-42-0x0000000008970000-0x00000000089D6000-memory.dmp

Filesize
408KB

Download
memory/1576-43-0x0000000009300000-0x0000000009376000-memory.dmp

Filesize
472KB

Download
memory/1576-44-0x0000000008B50000-0x0000000008B6E000-memory.dmp

Filesize
120KB

Download
memory/1576-45-0x0000000009CE0000-0x0000000009EA2000-memory.dmp

Filesize
1.8MB

Download
memory/1576-46-0x000000000A3E0000-0x000000000A90C000-memory.dmp

Filesize
5.2MB

Download
memory/4040-25-0x0000000076F51000-0x0000000077073000-memory.dmp

Filesize
1.1MB

Download
memory/4040-27-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download