redline | 010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce

General

Target

010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe
Size

323KB
MD5

c7fce4265a5346ff9d2413813886afce
SHA1

f6573a0b128dd29af3dd40e247bef6af27b2ef97
SHA256

010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce
SHA512

5c9a5239b6bc066655e2c28f296a8197916611d22c92ad58df846ac892d1ff70dd694d215f58192a16910e44cdf11ba07f981e7d35ea322dddf57aa262a47ddd
SSDEEP

6144:qyuooM8GZfDumFvuU2bmJtNZEpDbwQ/+5Ak43NN/Uuq10KhULPy+a76:VuoKGZfyVstXsbCAn3PrMoyd76

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

193.233.255.84:4284

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4524-4-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4524	RegAsm.exe
4524	RegAsm.exe
4524	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71
PID 1300 wrote to memory of 4524	1300	010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe	71

C:\Users\Admin\AppData\Local\Temp\010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe
"C:\Users\Admin\AppData\Local\Temp\010db379e364c7bda5073df61828ce0adcacaa3ab3397a449c7f98ee20521fce.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmpD699.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/1300-8-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1300-1-0x00000000007F0000-0x0000000000844000-memory.dmp

Filesize
336KB

Download
memory/1300-2-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1300-0-0x000000007379E000-0x000000007379F000-memory.dmp

Filesize
4KB

Download
memory/1300-6-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4524-29-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/4524-34-0x00000000068B0000-0x00000000068EE000-memory.dmp

Filesize
248KB

Download
memory/4524-10-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/4524-11-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/4524-7-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4524-28-0x0000000006030000-0x00000000060A6000-memory.dmp

Filesize
472KB

Download
memory/4524-4-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4524-31-0x0000000006DB0000-0x00000000073B6000-memory.dmp

Filesize
6.0MB

Download
memory/4524-33-0x0000000006850000-0x0000000006862000-memory.dmp

Filesize
72KB

Download
memory/4524-9-0x0000000005A30000-0x0000000005F2E000-memory.dmp

Filesize
5.0MB

Download
memory/4524-32-0x0000000006920000-0x0000000006A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4524-35-0x0000000006A30000-0x0000000006A7B000-memory.dmp

Filesize
300KB

Download
memory/4524-36-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4524-37-0x0000000006B80000-0x0000000006BE6000-memory.dmp

Filesize
408KB

Download
memory/4524-38-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4524-39-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4524-40-0x00000000057B0000-0x0000000005800000-memory.dmp

Filesize
320KB

Download
memory/4524-41-0x00000000084C0000-0x0000000008682000-memory.dmp

Filesize
1.8MB

Download
memory/4524-42-0x0000000008BC0000-0x00000000090EC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing