redline | 8f150114b4d2d9b1de24ff8b6eef3706935868d54464c68b9b0ad1c4c8a962d7

General

Target

679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe
Size

1.9MB
MD5

1a933b075452db624a756f76662a0614
SHA1

264bedf3867851461ea52b75650f414fcebb61ef
SHA256

679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d
SHA512

8f84c2c548d5774c5e942cef1dc5e0eb6e82a79d22a30b636bf0a98fad535cfab5e77a380c1c167ea33caca1ee397e64490eff0672cc915d1c8e797eb63e1071
SSDEEP

24576:GubsnafAPyjSzuubsnafAPyjZrilCQZCC3kmnrAa1rmqUeIiVfox2oTVZHeBFpUH:YI4wI1iln73XnrA0dqiFoHcpfi/Znqh0

Score

10^/10

redline 1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

77.221.156.45:18734

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 2 IoCs

Processes:

work.exedwrtg.exe

pid process

2540 work.exe
2528 dwrtg.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exework.exe

pid process

2612 cmd.exe
2540 work.exe
2540 work.exe
2540 work.exe
2540 work.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

dwrtg.exe

pid process

2528 dwrtg.exe
2528 dwrtg.exe
2528 dwrtg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

dwrtg.exe

pid process

2528 dwrtg.exe
2528 dwrtg.exe
2528 dwrtg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dwrtg.exe

description pid process

Token: SeDebugPrivilege 2528 dwrtg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dwrtg.exe

pid process

2528 dwrtg.exe

pid	process
2540	work.exe
2528	dwrtg.exe

pid	process
2612	cmd.exe
2540	work.exe
2540	work.exe
2540	work.exe
2540	work.exe

pid	process
2528	dwrtg.exe
2528	dwrtg.exe
2528	dwrtg.exe

pid	process
2528	dwrtg.exe
2528	dwrtg.exe
2528	dwrtg.exe

description	pid	process
Token: SeDebugPrivilege	2528	dwrtg.exe

pid	process
2528	dwrtg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.execmd.exework.exe

description	pid	process	target process
PID 3036 wrote to memory of 2612	3036	679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe	cmd.exe
PID 3036 wrote to memory of 2612	3036	679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe	cmd.exe
PID 3036 wrote to memory of 2612	3036	679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe	cmd.exe
PID 3036 wrote to memory of 2612	3036	679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	cmd.exe	work.exe
PID 2612 wrote to memory of 2540	2612	cmd.exe	work.exe
PID 2612 wrote to memory of 2540	2612	cmd.exe	work.exe
PID 2612 wrote to memory of 2540	2612	cmd.exe	work.exe
PID 2540 wrote to memory of 2528	2540	work.exe	dwrtg.exe
PID 2540 wrote to memory of 2528	2540	work.exe	dwrtg.exe
PID 2540 wrote to memory of 2528	2540	work.exe	dwrtg.exe
PID 2540 wrote to memory of 2528	2540	work.exe	dwrtg.exe

C:\Users\Admin\AppData\Local\Temp\679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe
"C:\Users\Admin\AppData\Local\Temp\679d5cdadcc48fa79574ce12e8d0fd2e19823dc4b7e39a84b5b286672f45a72d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
1.6MB

MD5
8a4879228a1be7f3607b3e273eed0a4b

SHA1
f3e0e38342319067c69960421535d5350961617b

SHA256
59a114ce6fb1eecdb755d07bff991d2463a313e5726f97bd1fe17dd42f83a869

SHA512
c8aa9fcfef49346564111ae8d8e0bae9aa5a9bc5a4bb01db658967de0adcd0d07a20c158b6d4dfa2b591ca7b14235590f8ba23af4f86367edba15383c847d5fd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\dwrtg.exe
Filesize
1.3MB

MD5
54a764920f77d7fa6e0362c87fef1a00

SHA1
bf50ce0c1086fe415dea79aecc1f484922a3a723

SHA256
5e9bcca94777fe32ffbf38991c2d7123b26bc0e7bc7a347683f66d19d298fa57

SHA512
3839b7344a2ca58bc9bc0bd89cc05325aa009f013865728c237f2d26a56c430a07b71aa5a36e503393e48ba592f3a3d245d5df117f117735406e2a9c157da4fb

Download Submit
memory/2528-38-0x0000000001120000-0x00000000014F4000-memory.dmp

Filesize
3.8MB

Download
memory/2528-40-0x0000000001120000-0x00000000014F4000-memory.dmp

Filesize
3.8MB

Download
memory/2528-41-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2528-42-0x0000000005190000-0x00000000051D0000-memory.dmp

Filesize
256KB

Download
memory/2528-45-0x0000000001120000-0x00000000014F4000-memory.dmp

Filesize
3.8MB

Download
memory/2528-46-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-35-0x0000000003880000-0x0000000003C54000-memory.dmp

Filesize
3.8MB

Download
memory/2540-36-0x0000000003880000-0x0000000003C54000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing