redline | 3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896

General

Target

3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe
Size

509KB
MD5

b8e1a18940a4b5f002bbf04f334ee02a
SHA1

85c3076aad3bed20ecdf94d50d4937132b7788e6
SHA256

3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896
SHA512

1f3e237b9b9228cabd5a1469d29b5bbc934928502cb5c0427a002d9846c8582574c8d7a4441e321e696732b8b2bf79b779b2f050037c02a53aa8c155fa434d86
SSDEEP

12288:q88sCGxeImxxbTuylGHljSEqFT/fYUA3BVyt0I4ZCdf:q9rGxDmxxbToHljoffA3BVGmkf

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.195.145.80:14640

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4460-1-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4460	RegAsm.exe
4460	RegAsm.exe
4460	RegAsm.exe
4460	RegAsm.exe
4460	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86
PID 4056 wrote to memory of 4460	4056	3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe	86

C:\Users\Admin\AppData\Local\Temp\3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe
"C:\Users\Admin\AppData\Local\Temp\3a46d11a2fe4b8e7e91c0771bbd86de9c22d634ae09278f7739e57ff9725f896.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmpC023.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/4056-0-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4460-29-0x0000000006CD0000-0x00000000072E8000-memory.dmp

Filesize
6.1MB

Download
memory/4460-30-0x0000000006820000-0x000000000692A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-4-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/4460-5-0x0000000005210000-0x000000000521A000-memory.dmp

Filesize
40KB

Download
memory/4460-6-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4460-2-0x00000000743EE000-0x00000000743EF000-memory.dmp

Filesize
4KB

Download
memory/4460-23-0x0000000005F20000-0x0000000005F96000-memory.dmp

Filesize
472KB

Download
memory/4460-24-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/4460-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4460-3-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4460-31-0x0000000006760000-0x0000000006772000-memory.dmp

Filesize
72KB

Download
memory/4460-32-0x00000000067C0000-0x00000000067FC000-memory.dmp

Filesize
240KB

Download
memory/4460-33-0x0000000006930000-0x000000000697C000-memory.dmp

Filesize
304KB

Download
memory/4460-34-0x0000000006A70000-0x0000000006AD6000-memory.dmp

Filesize
408KB

Download
memory/4460-35-0x0000000006C80000-0x0000000006CD0000-memory.dmp

Filesize
320KB

Download
memory/4460-36-0x00000000743EE000-0x00000000743EF000-memory.dmp

Filesize
4KB

Download
memory/4460-37-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4460-38-0x0000000007980000-0x0000000007B42000-memory.dmp

Filesize
1.8MB

Download
memory/4460-39-0x00000000087D0000-0x0000000008CFC000-memory.dmp

Filesize
5.2MB

Download
memory/4460-41-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing