redline | b245a9e880b92b5525233c4a8cdb8e4d1cda15c7e1a4a6ca7ee99d97cf51488a

Analysis

max time kernel
198s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
14/03/2024, 00:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

A u r o r a X.exe
Size

715KB
MD5

f476fc8e39528472df2b1ab6c5a469e2
SHA1

4d2e57a77b87b99ddcc5369d5fe98e5bac6856f4
SHA256

b245a9e880b92b5525233c4a8cdb8e4d1cda15c7e1a4a6ca7ee99d97cf51488a
SHA512

88c800a78f4ee407afd88ef8ef1e82b4b1217af6e3631edb6b7c6d99364c49417036634204f5f197ef0b8111637468e6cbecc3c2ef2c9d490e89d0a9ada7cce7
SSDEEP

12288:YNDg1jvzGKeIa4lux1aDtHQxkWJyhKjaUyXBjMCe/0k0QQKjIL6:YNqvGSa4lL1Qai3ydm/0jwIL6

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2524-29-0x0000000001300000-0x000000000135C000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3216 created 3312	3216	Present.pif	55

Executes dropped EXE 2 IoCs

pid	Process
3216	Present.pif
2524	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2968	tasklist.exe
824	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4928	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3216	Present.pif
3216	Present.pif
3216	Present.pif
3216	Present.pif
3216	Present.pif
3216	Present.pif
3216	Present.pif
3216	Present.pif
2524	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	tasklist.exe
Token: SeDebugPrivilege	824	tasklist.exe
Token: SeDebugPrivilege	2524	RegAsm.exe
Token: SeBackupPrivilege	2524	RegAsm.exe
Token: SeSecurityPrivilege	2524	RegAsm.exe
Token: SeSecurityPrivilege	2524	RegAsm.exe
Token: SeSecurityPrivilege	2524	RegAsm.exe
Token: SeSecurityPrivilege	2524	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3216	Present.pif
3216	Present.pif
3216	Present.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3216	Present.pif
3216	Present.pif
3216	Present.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 4880	3024	A u r o r a X.exe	75
PID 3024 wrote to memory of 4880	3024	A u r o r a X.exe	75
PID 3024 wrote to memory of 4880	3024	A u r o r a X.exe	75
PID 4880 wrote to memory of 2968	4880	cmd.exe	77
PID 4880 wrote to memory of 2968	4880	cmd.exe	77
PID 4880 wrote to memory of 2968	4880	cmd.exe	77
PID 4880 wrote to memory of 2656	4880	cmd.exe	78
PID 4880 wrote to memory of 2656	4880	cmd.exe	78
PID 4880 wrote to memory of 2656	4880	cmd.exe	78
PID 4880 wrote to memory of 824	4880	cmd.exe	80
PID 4880 wrote to memory of 824	4880	cmd.exe	80
PID 4880 wrote to memory of 824	4880	cmd.exe	80
PID 4880 wrote to memory of 3040	4880	cmd.exe	81
PID 4880 wrote to memory of 3040	4880	cmd.exe	81
PID 4880 wrote to memory of 3040	4880	cmd.exe	81
PID 4880 wrote to memory of 1720	4880	cmd.exe	82
PID 4880 wrote to memory of 1720	4880	cmd.exe	82
PID 4880 wrote to memory of 1720	4880	cmd.exe	82
PID 4880 wrote to memory of 2044	4880	cmd.exe	83
PID 4880 wrote to memory of 2044	4880	cmd.exe	83
PID 4880 wrote to memory of 2044	4880	cmd.exe	83
PID 4880 wrote to memory of 1868	4880	cmd.exe	84
PID 4880 wrote to memory of 1868	4880	cmd.exe	84
PID 4880 wrote to memory of 1868	4880	cmd.exe	84
PID 4880 wrote to memory of 3216	4880	cmd.exe	85
PID 4880 wrote to memory of 3216	4880	cmd.exe	85
PID 4880 wrote to memory of 3216	4880	cmd.exe	85
PID 4880 wrote to memory of 4928	4880	cmd.exe	86
PID 4880 wrote to memory of 4928	4880	cmd.exe	86
PID 4880 wrote to memory of 4928	4880	cmd.exe	86
PID 3216 wrote to memory of 2524	3216	Present.pif	87
PID 3216 wrote to memory of 2524	3216	Present.pif	87
PID 3216 wrote to memory of 2524	3216	Present.pif	87
PID 3216 wrote to memory of 2524	3216	Present.pif	87
PID 3216 wrote to memory of 2524	3216	Present.pif	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\A u r o r a X.exe
  "C:\Users\Admin\AppData\Local\Temp\A u r o r a X.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tv Tv.bat & Tv.bat & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 31698
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 31698\Present.pif + Summary + Impact + Ray + Smoke + Prevention 31698\Present.pif
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Beat + Turtle + Hurricane 31698\u
      4⤵
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\31698\Present.pif
      31698\Present.pif 31698\u
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4928
- C:\Users\Admin\AppData\Local\Temp\31698\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\31698\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31698\Present.pif

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31698\Present.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31698\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\31698\u

Filesize
446KB

MD5
35927990a7b837ef00b962af8f93cafb

SHA1
870d4137e23ef37a59d0def8cea39b65b69578be

SHA256
b87485a2b1def8df7418b2834fd1ecb23b21bb62103ae46c3c98102e3fc66490

SHA512
7e349093ed4f5f575800a565d9b6aad1efc3cc537bc44b136f46d713eb23b099534189551cefd7cb327ba760b99811fefa7cd1f729ca183e4777c8c08a064c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beat

Filesize
286KB

MD5
032357703b5ce3baf1c1c8e2cfbecd53

SHA1
d2fd7b21dde1ffe42c541c7077a04f5b7c0a05ea

SHA256
735cda19d881ee2c28101d09414cfb873ba17587f77a7fac24125da18e4afebe

SHA512
2476fe332260ddff35d27c6fc29d150510c9828f79b27933854b4282653c2956807072fe99dcbe8fa9c5aedda1e6a219887d2427bc0eaf9f1837fcdb2d9f6299

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hurricane

Filesize
174KB

MD5
35bafb2670374b40e7565d2375a0398e

SHA1
408588981f40afd9b9cde22b1730a9b0b6c786da

SHA256
589b656a6b34233fb305bc1be6bcdedb821f9efbbd2dd2089e1a93196b0daa19

SHA512
11d868d3ba9a7156d12d1794951ded13d3cab7e93aa46e8fa73df2bcfdf820c75b8f4c2e0b90a1aae871cef591b245279db88314cabc4b8f3ad11198f248a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impact

Filesize
109KB

MD5
cb653da94140e5c70e9c86e7fbda1d29

SHA1
36c4a6955ac0b7fa890b65c66b5f3f14087dc978

SHA256
ccf96df9859615a179ae7b975b0130ff28ff869b1289c0cd963ed2236638708b

SHA512
6f35ff9fd752d077d92c66ad147ea3c449e9dc60a2cf762da5991b8f25afafa130af6ae0395c0777af94b54079a6a1dbeba744c475e0b7e72704d42216d86877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prevention

Filesize
56KB

MD5
81d88021025188b208e3e5bee870a35f

SHA1
167d2b860097a9baccd09ed41e8c922065c42ba9

SHA256
0df0214c701b1ee01d73b37174835c06674e3e509a31d26e2cb8b4ad78286314

SHA512
80b2b1c7ca92af39bd4633ed8cb86d13257e24c0750d841cc5169f331a9b77b263b68c62cd99a2c198fd07d3ef70ab3385749e42defe9a6e25c5cc98b338b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ray

Filesize
233KB

MD5
8f5dc8c2edd6d31892833f02c91e06d8

SHA1
3aa7a22e9c2b9ef55f6ab8fdbd871d905e693e81

SHA256
177c7d6763739c7bd54cd62270a1a9e28560a1ec0dc3bc1d88ecd1d6e4a9e15f

SHA512
c4e7feedad4d22356fd8aea8ae593ce40dd28e540cdb5162d1c0f8300bfaa22a05202cb91eb3eb4f37724008b3d9df966e58dbea0d76e66c0e5de8410a2a3daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smoke

Filesize
266KB

MD5
cecbfa5f9956a5c0e60933b58288c280

SHA1
715c43aae2eed1836e459bff9717ab97494704d8

SHA256
bd6a32bb4829a271c4ae9f7c6dbffd920cb22865ed3bf356eddd9df596d99f7d

SHA512
95dbba9961dd8411acafc04b2393f968d4544a5171a632632c0f114813f71498ff9033ba45f4b7c34afd4c6208f1349606b7548b1e125d8b38f77e508927ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Summary

Filesize
208KB

MD5
c4b889b1379e2b3eeb956553b719b22a

SHA1
678cd18741c398010aec9f59233d472644d0079f

SHA256
c7a139b90d5d6c0a25d636b76fc32ebeeb06c426595063c925c383cf4bb6445d

SHA512
2611b3b3ff0a0198e08375ac5614427c8e97e796b3e677430f13fb0993645fc80ba610f9e68c6418d6d859349af84372fe000ae26bf2e0ec605880d03c61a86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Turtle

Filesize
261KB

MD5
7a6ca99cafcf2598d131d5d3e9d5cf65

SHA1
360e087c9ba4a2cbb9ceec9401bc4d784430bc95

SHA256
ef13ed4da127b37926ae39c90b1538facc29468d9a92be8d5c23f8e2042bf492

SHA512
7c43b2d52fe70bf7608cb695bb68adde625daab0098b303382f0d66e05016b3c26cb9a717e82425c9744bbb3f8dfa79834554ca20e008d0b1af02fed4f0aded3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tv

Filesize
15KB

MD5
b679ce0e773bb53d98bcca4938135ecf

SHA1
b9607174cdc497bc424ed70402ac217f765244b0

SHA256
9b032e9f6b36d85aed8ae30c2f1212096cc0fb48ca65f13ef11cee6ecf295839

SHA512
c8492ad5a312108d266ea043461ffb8664b7a46dec83c270c924b7618215f7b2a882b1ab6d0223d6296b5105022b5659ff75837626b3fdd032caa93d1b21f4b2

Download Submit
memory/2524-32-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-38-0x00000000087C0000-0x00000000087D2000-memory.dmp

Filesize
72KB

Download
memory/2524-48-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-46-0x0000000072F60000-0x000000007364E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-33-0x0000000005CB0000-0x00000000061AE000-memory.dmp

Filesize
5.0MB

Download
memory/2524-34-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2524-35-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/2524-36-0x0000000008D00000-0x0000000009306000-memory.dmp

Filesize
6.0MB

Download
memory/2524-37-0x0000000008890000-0x000000000899A000-memory.dmp

Filesize
1.0MB

Download
memory/2524-29-0x0000000001300000-0x000000000135C000-memory.dmp

Filesize
368KB

Download
memory/2524-39-0x0000000008820000-0x000000000885E000-memory.dmp

Filesize
248KB

Download
memory/2524-40-0x00000000089A0000-0x00000000089EB000-memory.dmp

Filesize
300KB

Download
memory/2524-41-0x0000000008AA0000-0x0000000008B06000-memory.dmp

Filesize
408KB

Download
memory/2524-42-0x0000000009410000-0x0000000009486000-memory.dmp

Filesize
472KB

Download
memory/2524-43-0x0000000008C80000-0x0000000008C9E000-memory.dmp

Filesize
120KB

Download
memory/2524-44-0x0000000009E20000-0x0000000009FE2000-memory.dmp

Filesize
1.8MB

Download
memory/2524-45-0x000000000A520000-0x000000000AA4C000-memory.dmp

Filesize
5.2MB

Download
memory/3216-25-0x0000000077231000-0x0000000077344000-memory.dmp

Filesize
1.1MB

Download
memory/3216-27-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download