redline | 12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593

General

Target

12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe
Size

315KB
MD5

0f9a7390c4a71cae8b2e709695fdd05b
SHA1

e380542376968be946f8ba7fabbd7b2065ff392d
SHA256

12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593
SHA512

0cfa9287bc2e5150e506315178e490984aadd6f8de1305db9dd28c37ddd2d6d691cb859ceb7979224c59b91562985cd178c025cf9e72cabfac147eadc66356e3
SSDEEP

6144:II8XYYyOCPtqXY1J5v+aarO28SuhAZ3tr2T9LManjK92NbaauJo3G:II8Xvy7N+aA18g8/n+3o2

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

147.45.47.36:14537

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2348-3-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2348	RegAsm.exe
2348	RegAsm.exe
2348	RegAsm.exe
2348	RegAsm.exe
2348	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85
PID 2308 wrote to memory of 2348	2308	12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe	85

C:\Users\Admin\AppData\Local\Temp\12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe
"C:\Users\Admin\AppData\Local\Temp\12cac791fafc11ccb103abd3873562fc176b7da4d182be1cf486f028a9063593.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp8770.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/2308-1-0x0000000000E60000-0x0000000000EB4000-memory.dmp

Filesize
336KB

Download
memory/2308-36-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2308-5-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2308-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/2348-31-0x0000000006A10000-0x0000000007028000-memory.dmp

Filesize
6.1MB

Download
memory/2348-33-0x00000000064A0000-0x00000000064B2000-memory.dmp

Filesize
72KB

Download
memory/2348-9-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/2348-6-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/2348-26-0x0000000005D00000-0x0000000005D76000-memory.dmp

Filesize
472KB

Download
memory/2348-27-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/2348-30-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2348-7-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2348-32-0x0000000006560000-0x000000000666A000-memory.dmp

Filesize
1.0MB

Download
memory/2348-8-0x0000000004EA0000-0x0000000004F32000-memory.dmp

Filesize
584KB

Download
memory/2348-34-0x0000000006500000-0x000000000653C000-memory.dmp

Filesize
240KB

Download
memory/2348-35-0x0000000006670000-0x00000000066BC000-memory.dmp

Filesize
304KB

Download
memory/2348-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2348-37-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/2348-38-0x00000000067B0000-0x0000000006816000-memory.dmp

Filesize
408KB

Download
memory/2348-41-0x0000000007300000-0x00000000074C2000-memory.dmp

Filesize
1.8MB

Download
memory/2348-42-0x0000000007A00000-0x0000000007F2C000-memory.dmp

Filesize
5.2MB

Download
memory/2348-43-0x0000000007900000-0x0000000007950000-memory.dmp

Filesize
320KB

Download
memory/2348-45-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing