redline | bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295

Analysis

max time kernel
37s
max time network
38s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

abb713cf90e8345c0b6b79345cbdc9d6
SHA1

67e705d4070b58994f0b718005d5f07fef824192
SHA256

bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
SHA512

809b8c6aae46674c4c5fe24a98ae1fa065ab24d44c42e56b85946d7cc039f4139eb34e62daaf2ea1058180884a72c411d639c79eacc491e7fdb555a11b4dd524
SSDEEP

24576:T3ThU20saWF461GGhJryB+dItlXPoxt1tXNq7pk04o9wynZTAgEXt:7OcXDGG/uua1Y3XwpkkagGt

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

147.45.47.251:2149

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/1528-31-0x0000000000110000-0x0000000000162000-memory.dmp	family_redline
behavioral1/memory/1528-33-0x0000000000110000-0x0000000000162000-memory.dmp	family_redline
behavioral1/memory/1528-34-0x0000000000110000-0x0000000000162000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 2 IoCs

pid	Process
2672	Sister.pif
1528	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2640	cmd.exe
2672	Sister.pif
1528	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2700	tasklist.exe
2724	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MrnaMatches	file.exe
File opened for modification	C:\Windows\VotingApps	file.exe
File opened for modification	C:\Windows\TherebyJoke	file.exe
File opened for modification	C:\Windows\BlahAdobe	file.exe
File opened for modification	C:\Windows\AspResistance	file.exe
File opened for modification	C:\Windows\OvenJa	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sister.pif

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2672	Sister.pif
2672	Sister.pif
2672	Sister.pif
2672	Sister.pif
2672	Sister.pif
1528	RegAsm.exe
1528	RegAsm.exe
1528	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe
Token: SeDebugPrivilege	1528	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2672	Sister.pif
2672	Sister.pif
2672	Sister.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2672	Sister.pif
2672	Sister.pif
2672	Sister.pif

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2640	1548	file.exe	30
PID 1548 wrote to memory of 2640	1548	file.exe	30
PID 1548 wrote to memory of 2640	1548	file.exe	30
PID 1548 wrote to memory of 2640	1548	file.exe	30
PID 2640 wrote to memory of 2700	2640	cmd.exe	32
PID 2640 wrote to memory of 2700	2640	cmd.exe	32
PID 2640 wrote to memory of 2700	2640	cmd.exe	32
PID 2640 wrote to memory of 2700	2640	cmd.exe	32
PID 2640 wrote to memory of 2716	2640	cmd.exe	33
PID 2640 wrote to memory of 2716	2640	cmd.exe	33
PID 2640 wrote to memory of 2716	2640	cmd.exe	33
PID 2640 wrote to memory of 2716	2640	cmd.exe	33
PID 2640 wrote to memory of 2724	2640	cmd.exe	35
PID 2640 wrote to memory of 2724	2640	cmd.exe	35
PID 2640 wrote to memory of 2724	2640	cmd.exe	35
PID 2640 wrote to memory of 2724	2640	cmd.exe	35
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2616	2640	cmd.exe	37
PID 2640 wrote to memory of 2616	2640	cmd.exe	37
PID 2640 wrote to memory of 2616	2640	cmd.exe	37
PID 2640 wrote to memory of 2616	2640	cmd.exe	37
PID 2640 wrote to memory of 864	2640	cmd.exe	38
PID 2640 wrote to memory of 864	2640	cmd.exe	38
PID 2640 wrote to memory of 864	2640	cmd.exe	38
PID 2640 wrote to memory of 864	2640	cmd.exe	38
PID 2640 wrote to memory of 2500	2640	cmd.exe	39
PID 2640 wrote to memory of 2500	2640	cmd.exe	39
PID 2640 wrote to memory of 2500	2640	cmd.exe	39
PID 2640 wrote to memory of 2500	2640	cmd.exe	39
PID 2640 wrote to memory of 2672	2640	cmd.exe	40
PID 2640 wrote to memory of 2672	2640	cmd.exe	40
PID 2640 wrote to memory of 2672	2640	cmd.exe	40
PID 2640 wrote to memory of 2672	2640	cmd.exe	40
PID 2640 wrote to memory of 1636	2640	cmd.exe	41
PID 2640 wrote to memory of 1636	2640	cmd.exe	41
PID 2640 wrote to memory of 1636	2640	cmd.exe	41
PID 2640 wrote to memory of 1636	2640	cmd.exe	41
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42
PID 2672 wrote to memory of 1528	2672	Sister.pif	42

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 651690
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "HampshireRangesScholarsPodcasts" Exhibit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
    Sister.pif p
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1528
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\651690\p

Filesize
524KB

MD5
9a24d4882c1d58ce2448fdae562666d4

SHA1
9d0565a9b786ab57844edd419459115aac35bde0

SHA256
7f33004e6d85eb4e355e98c93c6765cdf62572bcda24126a2758d8b8d9021c2f

SHA512
cd724a70b30103968830c89f935345eede1bf42ff454f65608c1799c72f35fb6e34cfa102d3a793d79370ab82e2a8f17ee6056c1248c406d5c620c35888828ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dude

Filesize
81KB

MD5
fb6f9a5933fa68a15184363dd5f74446

SHA1
fa310d04bdcb2578a5853bcd6cd24c5516ec93c6

SHA256
c10e2d896a120a8639b63836cb6f8d1229b9b3a063048d523aec908dbe89d928

SHA512
867fef1eac107b757e11df16c8c56347ae53f6d646a32f82ef7bae6f2479f168404affb4fcc3e462d234c6344e5b13e0d04482c59f5ffe810396e1b67634e3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exhibit

Filesize
521B

MD5
5afc7229caf4095825dbf15befd37493

SHA1
ba1096e7690b22c55b6afdea14b9eafd14af7097

SHA256
e7cbd4083aacfe6fa4d5c45c6d6e621417aa11860abc41478d56ae6248d8a0b1

SHA512
73202a3faf248a73b62c88746c5785effcdf30564b4afd2c4e9a3c6a24cf08b55e4a6fd35339c2a258981013dd0343cd62f64d247fd3180bd0b79ffc646e97fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heritage

Filesize
23KB

MD5
ee3a7efb4d01bb1b04e4c9ccb333c044

SHA1
93d69dc0b27d0334176e60babe362d7cacb3369f

SHA256
71f4148c94bb24a35ac080121a3bcd09ad45007b19d0235296385694703de26b

SHA512
b31a29cab9d03baec7387d1aba0176ddada3ad35be9497fc2df178f45c566c67fbeaff74e3648214362f8fabf6c1edc48536f5005e7ca6e2ef999574b09b0f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Llp

Filesize
98KB

MD5
b1be05ed7b57f24b0004276747520e23

SHA1
8f41ad51eef21727562136de08afecbdf51e1635

SHA256
dc71aa99d951b08ea1c0f886d0146d5ab1a4c031aeb692cb6b7ea92da80b2c38

SHA512
8747326a12820c04d4f268b063e11a84e71be47b9750ad0a8cb0325f24c0ad386d385d5d0a7ce4e81f984523dfaa6e9f26bc2e8bd226310974084e4d581dcfce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Papua

Filesize
872KB

MD5
8db77745f37a0a067728d621603c7cae

SHA1
e3a1bf4c37d10434642c31c0435da28f7ee30de3

SHA256
1335802132d3a38d17319ac6a5d3662820c30a50ed75a5d094cff5e1ccde687f

SHA512
bedfec2197d9d22eb692f34413af1f37b3cb057a1d2929d2835d0d4e24103d101178370b2717dbdb38fa6c5d125698ac4f74fd934bf6dbe35a3ae1a9eb75f607

Download Submit
C:\Users\Admin\AppData\Local\Temp\Powerful

Filesize
95KB

MD5
fc73c25541cfa8ac7a46fccb525f0cfd

SHA1
f83352a81f0f14546365f4c18d155233f4584d14

SHA256
0a887aa261cbdab920c9fb983f20906a046115c1c40e2bb986823ae4ef4aa408

SHA512
29bd51b706fcb7d075d85550926a33ba70269570b052c3d34297bd06ac652b1dc95c174e1e860df97df47171aef9ac3e8f552129e74690d4450e662e881b6cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slightly

Filesize
97KB

MD5
3a90362515761941660fbb96219f9fe0

SHA1
8c4386f0bb80eff84a96cc25eaa85f2dfd121679

SHA256
c942fb8755a8f61585f06af8ce2b1e9fcf8d88d45d6c80dff7f523c24bfb543e

SHA512
f4d165ce35a349332d6f5b68976a0735b90648f89c27f14bbabe3562c82ae233849886dff663e22d5a10440bcde8672cfb095ea7dac235bec9fca6aca22744d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sources

Filesize
75KB

MD5
470f19f312808e9d98a35a5343cb25a8

SHA1
50c4f2d1bfc53cbd2b4fa02bb156a5199aa85b3a

SHA256
8e0099e0b1d1a05f78099ebad128c0440bf0f469e21510e6996e8b497af36e3f

SHA512
1489d7bdb0ad32334bed050415062b340f79ecb8fb775f697d875300c7fc501e56162d547295d2f82fe4c6cf3a0a92c97e5f49bbeeaba58000636db970bd9cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB7BC.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vagina

Filesize
78KB

MD5
621679ec67ab5447a864ab80778de8ec

SHA1
288314f4e5ad902006af71971b75106c8e0bd6a8

SHA256
4f332881e0e1ab18279f0dbaddab9650c473ce42b0ffdceff9ae3e27923d1e87

SHA512
cf5394137a4fdb1de5a7fc014a743220c93ff850c5cddb99c432b6b0a9393cb33bb9d178c2d6e13c58211f456240b4b3ae6a123a2bb68ce62ec96aa99109215b

Download Submit
\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\651690\Sister.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/1528-31-0x0000000000110000-0x0000000000162000-memory.dmp

Filesize
328KB

Download
memory/1528-33-0x0000000000110000-0x0000000000162000-memory.dmp

Filesize
328KB

Download
memory/1528-34-0x0000000000110000-0x0000000000162000-memory.dmp

Filesize
328KB

Download