Resubmissions
Analysis
-
max time kernel
33s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
14-04-2024 23:29
General
-
Target
https://gofile.io/d/D1GC4n
Malware Config
Extracted
redline
cheat
TKANDERS.theworkpc.com:49182
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/D1GC4n1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xe0,0xe4,0xe8,0xdc,0x10c,0x7ffd61efab58,0x7ffd61efab68,0x7ffd61efab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3748 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4484 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4352 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4876 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3964 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1808,i,1417273786788934781,16087308336988860392,131072 /prefetch:82⤵
-
C:\Users\Admin\Downloads\MSBuild.exe"C:\Users\Admin\Downloads\MSBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\MSBuild.exe"C:\Users\Admin\Downloads\MSBuild.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD5aba693c74646c4887cf8a5021ade8311
SHA17bbce683c4d60bc9e854e949670ba80588ac2935
SHA256c8736710ebf97bb2e62374c5c369cd3c34c432265ee2b146bf7866814552bb51
SHA512e25ca5a67e9e1a86b62c51e14deb40c29ee491dc858bf27c27be2b5dd4e47befe88cf932c56048327bf5a7a486aef11312f76cd48caabb844f1ad06a4d743410
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
690B
MD5c3eac6f8028e3d06e77ccba68ab36290
SHA15ea6264627a392bb3658aeac04d312527553c1f1
SHA2564dbac4d2723ec6a57ac91781d8b71e3f00acb3876db1b88b479afe7c3ca54c61
SHA512385ad7817ce29eb0b9d728f07bdaf3939e73f14a5b20dc8c6102cd62f9dd39668c1401da4ea183d7ef0638a19234df70c6cb9094ec47d69ee1e84ddf1f4a7f0c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5c064049cc3fcd601723cc3b41273e431
SHA1dbc6f770b20cd5ec83741f47c7b045ecc17cf79d
SHA256f941aa41439e351fdc269deb91221c064b96c2eb912d892894dc18129c6223e1
SHA5121580c219c41fd64daf548ef5e2dabe6eb686c2df21f90ae37e8c9f9a970351cfe535478b0255f255d9e9f1dcec5a779969365549a8ee636a0ad262d3f710f711
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD53187d2e33cf96d04554c44b5805f051c
SHA1e94da6ca28af8676328ed7eeefb3375824810d9a
SHA256de22dde62621a2355d191872fe5791300688ab4da31a8fd3f40bc11394308adb
SHA512e7370746ccf5d85716408532fb45d6a80da71bda3d4e744de50e84cbcf8796890771ff0f9af23630318814f4e1563b6af78ddf7d0d8dbcb01ee61eb8ff355328
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
127KB
MD5c85e9ba3acbe16fe06ed0ecc012f6267
SHA19db6ebf8f7e3244b06cc534e5b2d4c7d97609e45
SHA256123c3c78c8527b3cd8ffb2dd311ba4da467403f130d1ea2be323a5c09fb725a3
SHA512de655ca832b2ef24323e90ee3850dd7ee4b6c852b20e2eb193c777492e1bb58a50b77f25ade1cc571a75a45821c96a1671490a899bc823339abe00ae9cb47e5d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.logFilesize
847B
MD5ef375f28c91db0202bf7db29c0cbc2ce
SHA15a3f5d4ec75a468b908c2eb2b9e6f4b1e76c1017
SHA256f4d1c038db378dec10e7e2fc81ccc2e2d4b8132ef0d66905e3625a0b0cbbde5f
SHA512f18141e352fcd253e02cb25fa0cff29ab06dec62bafd5aa80ca48c959d1dba97deae830d01bf521f851a8143b9416747eb170d0cedafa32b59155027c02f244d
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5e23e7738a77157383b36aac373c94c3d
SHA13267e2189c3c333359cfa01fa683c1660020f8e3
SHA2567792fd4bed6991f5096eefe2c6931e987a660a4739cd88fdcee38b2d4874d034
SHA512c3eeb483ab01b2bb3614c0294dc8a0324ed82ffd46edd8da4f6e5e522b974c2b0b4da30326e9b614cc32c039a137ea90501278ba8186a96f98e569bc6e4e5b67
-
C:\Users\Admin\AppData\Local\Temp\tmpCB50.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpCB65.tmpFilesize
100KB
MD58f7c33da3a9fc1fbfeea5db4ec4545c3
SHA137a3cdc4732b827aa2314481a75d7cd357a85b11
SHA256e46d3efa4203b94ff6507efcc2a5fdc0c230c81f00fe12ab94d36eeb0cef773b
SHA512bfc826f1a0b593620c10654395912297d270b6c8d0f3e61b84125fa59edeb16531f76a347069c25482b5fde00332398c7afc8ecd3afcffce75ec091caac7d823
-
C:\Users\Admin\AppData\Local\Temp\tmpCB91.tmpFilesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
C:\Users\Admin\AppData\Local\Temp\tmpCB97.tmpFilesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
C:\Users\Admin\AppData\Local\Temp\tmpCBAC.tmpFilesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
C:\Users\Admin\AppData\Local\Temp\tmpCBE7.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\Downloads\MSBuild.exe:Zone.IdentifierFilesize
154B
MD5d8381149c9db344f4d18c8a675caf567
SHA151ee2e18834bb25fed4f3463bf8ab4fe4fafad30
SHA2563f91854c4f699788d8d1eec4c0b6a106b87e3a4841e032a77957eb1cb4d40e27
SHA5123e76017942f557fda6bee82e8d898bc19c36bdb8bb67b5534d1e4ccd1e1e549887d33dbad8ae7d552b749f64b16404567ac0371b19d790dc188d8c65da2ea87d
-
C:\Users\Admin\Downloads\Unconfirmed 616856.crdownloadFilesize
180KB
MD57bb3d913742d3d4ab1e2236bfde7e4a6
SHA1abff865c52824231776460bd7b1d068b121d3986
SHA2561c8ba0ea86801366c0e20104ab91dee4693847b2a30c7fe6a65c91ee5e449c09
SHA5123c197af92e31ea114494c3843f1c1dedb869828db9130435478ebd792cfb09a5101832447be85aa18a8c86b9051dfb23108f5a23841553d4c5cd1951c2a6ed65
-
\??\pipe\crashpad_2668_IZSYWWUKGNOSCINAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1744-108-0x00000000744F0000-0x0000000074CA1000-memory.dmpFilesize
7.7MB
-
memory/1744-103-0x0000000002EF0000-0x0000000002EF6000-memory.dmpFilesize
24KB
-
memory/1744-101-0x0000000005430000-0x0000000005440000-memory.dmpFilesize
64KB
-
memory/1744-102-0x0000000002E50000-0x0000000002E6A000-memory.dmpFilesize
104KB
-
memory/1744-100-0x00000000744F0000-0x0000000074CA1000-memory.dmpFilesize
7.7MB
-
memory/1744-99-0x00000000008D0000-0x0000000000900000-memory.dmpFilesize
192KB
-
memory/2004-109-0x00000000744F0000-0x0000000074CA1000-memory.dmpFilesize
7.7MB
-
memory/2004-115-0x0000000005870000-0x000000000597A000-memory.dmpFilesize
1.0MB
-
memory/2004-132-0x0000000006B70000-0x0000000006D32000-memory.dmpFilesize
1.8MB
-
memory/2004-133-0x0000000007270000-0x000000000779C000-memory.dmpFilesize
5.2MB
-
memory/2004-134-0x0000000007D50000-0x00000000082F6000-memory.dmpFilesize
5.6MB
-
memory/2004-135-0x0000000006DE0000-0x0000000006E72000-memory.dmpFilesize
584KB
-
memory/2004-136-0x0000000006E80000-0x0000000006EE6000-memory.dmpFilesize
408KB
-
memory/2004-114-0x0000000005620000-0x000000000566C000-memory.dmpFilesize
304KB
-
memory/2004-113-0x0000000005610000-0x0000000005620000-memory.dmpFilesize
64KB
-
memory/2004-112-0x00000000055C0000-0x00000000055FC000-memory.dmpFilesize
240KB
-
memory/2004-111-0x0000000005560000-0x0000000005572000-memory.dmpFilesize
72KB
-
memory/2004-110-0x0000000005C40000-0x0000000006258000-memory.dmpFilesize
6.1MB
-
memory/2004-104-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2004-319-0x0000000007170000-0x00000000071E6000-memory.dmpFilesize
472KB
-
memory/2004-320-0x00000000079C0000-0x00000000079DE000-memory.dmpFilesize
120KB
-
memory/2004-323-0x00000000744F0000-0x0000000074CA1000-memory.dmpFilesize
7.7MB