redline | 3724859dc08f6e3c36f2aecf9c8284ba709f2b6c831b57d5b032877c83cf119a

Analysis

max time kernel
135s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe
Size

1.2MB
MD5

8d2f7c67059a695625fe500f9a502092
SHA1

6feed04ad1ac6a081e525b61c1051757b456f170
SHA256

3724859dc08f6e3c36f2aecf9c8284ba709f2b6c831b57d5b032877c83cf119a
SHA512

830fc36c77f5fdba6d4653b5b832670f54a5497bdc7b6daf20df247a5836a13acf36b2daddc3d1212add13a1981d6d9417935ff982ed6d31a01d79c79e1e1290
SSDEEP

24576:n53uhFSIBX1gx2BSY54F5ZpOBu8cGSmnodrCYF0MEQdAt:n5+hFVXyHYu5LOGXmnyCYF0MEQdw

Score

10^/10

redline maxi discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

maxi

135.181.241.49:35200

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2996-27-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/2996-30-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/2996-29-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2564	Audace.com
2760	Audace.com
2996	RegAsm.exe

Loads dropped DLL 4 IoCs

pid	Process
2788	cmd.exe
2564	Audace.com
2760	Audace.com
2996	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2760 set thread context of 2996	2760	Audace.com	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audace.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Audace.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2672	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2672	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2760	Audace.com
2760	Audace.com
2760	Audace.com
2760	Audace.com
2760	Audace.com
2760	Audace.com
2760	Audace.com
2760	Audace.com
2760	Audace.com

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2760	Audace.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	RegAsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1264	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	30
PID 1848 wrote to memory of 1264	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	30
PID 1848 wrote to memory of 1264	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	30
PID 1848 wrote to memory of 1264	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2700	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	32
PID 1848 wrote to memory of 2700	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	32
PID 1848 wrote to memory of 2700	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	32
PID 1848 wrote to memory of 2700	1848	8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2788	2700	cmd.exe	34
PID 2700 wrote to memory of 2788	2700	cmd.exe	34
PID 2700 wrote to memory of 2788	2700	cmd.exe	34
PID 2700 wrote to memory of 2788	2700	cmd.exe	34
PID 2788 wrote to memory of 2680	2788	cmd.exe	35
PID 2788 wrote to memory of 2680	2788	cmd.exe	35
PID 2788 wrote to memory of 2680	2788	cmd.exe	35
PID 2788 wrote to memory of 2680	2788	cmd.exe	35
PID 2788 wrote to memory of 2564	2788	cmd.exe	36
PID 2788 wrote to memory of 2564	2788	cmd.exe	36
PID 2788 wrote to memory of 2564	2788	cmd.exe	36
PID 2788 wrote to memory of 2564	2788	cmd.exe	36
PID 2788 wrote to memory of 2672	2788	cmd.exe	37
PID 2788 wrote to memory of 2672	2788	cmd.exe	37
PID 2788 wrote to memory of 2672	2788	cmd.exe	37
PID 2788 wrote to memory of 2672	2788	cmd.exe	37
PID 2564 wrote to memory of 2760	2564	Audace.com	38
PID 2564 wrote to memory of 2760	2564	Audace.com	38
PID 2564 wrote to memory of 2760	2564	Audace.com	38
PID 2564 wrote to memory of 2760	2564	Audace.com	38
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39
PID 2760 wrote to memory of 2996	2760	Audace.com	39

C:\Users\Admin\AppData\Local\Temp\8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d2f7c67059a695625fe500f9a502092_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo BiJhBDFMt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Appartenga.iso
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^nfzqDrYPjfGCiXffACXfCqloibYIYQvcDHLLIXvzLsXNQOEQUPqNvnPbtlSyydRcSlYmkEHDyEDkrbazSoNoQIZtShGbtshcABUFPyE$" Intinti.bin
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Audace.com
      Audace.com Dio.msi
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Audace.com
        
        C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Audace.com Dio.msi
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Appartenga.iso

Filesize
108KB

MD5
c7460386a0c6ca2c07b309c2cbdd0968

SHA1
d5199cb6ede26654bf1994888aadb60027b0450a

SHA256
0e88e817b7970e5842f19b61d07dc04b414d5298a0e62702050de35b028b5ad1

SHA512
9bc49f55449f5af69a9cf84bb9d3a320d06e4269e5f0d739a1889594b904647687b80dfe62ec08f80aa9def8d08aecaea6dc525a63fcb7482eb20cbce85d3e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Dio.msi

Filesize
954KB

MD5
15a8b9fcbde7b5aeb2c8052924453a9a

SHA1
eb446e336f1be7316f7fca79329ef5eb3909e2fc

SHA256
e3a35be91f2dd18304d79f247808886cb974d078adb3fd3c2af5c072f256d450

SHA512
69d0044dd0b9dbbff01d5b3c564f6faa346d4cc77e16dc09288a50f3cd71dc42aecba9d16dd1e67da30138c59a86a7228c12a17152236f01d8c436d8f2dc750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Intinti.bin

Filesize
921KB

MD5
9060768e602d28d4c40a12a0d9cb4709

SHA1
7f0ea27c8d8ba1c760d58143a10d1b81d92d5c70

SHA256
03b7e0b39e8e03e70cb0186303d73fdb983b964aef721c01d55d8d7fc71a1501

SHA512
ea2614dc9f866ce509a05f809116ee9c2fb0b71a712c5b594a0f8c68546ed90321873ad70db4b0748fd817e20b73dcafa06a0d57b4d844e3c0d484a52f67d4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Prende.midi

Filesize
128KB

MD5
cb8e15cf344186cb85355c72b3514d11

SHA1
a9903346de41e38d79ba6f145c3e0fa9e634b197

SHA256
b1be995ee493333f756d431fac5878c7b9b8e1e1742c068bc7fa921f0cab4f33

SHA512
e74c8f2abc3afcb04cbb2c0df2108b26c5504611a4decf7615965196819769329d9d61a0f04d1fd2c16aedae198b1bebdcbd7431ab7967a9b5e3ffbaddd206e7

Download Submit
\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\Audace.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\gZJISvZciFmvtR\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2996-27-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2996-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2996-29-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download