redline | feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36

Analysis

max time kernel
135s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/10/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
Size

951KB
MD5

e530d19a769bcd90ec3e92ebf08d68e9
SHA1

ba44d592474de8fdb853f25fb364fe14a4779f74
SHA256

feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36
SHA512

36e0b6fac19955bc2cc7c629f34577d1b0897ba4b551b5b0db3c8aec62c9ee92c15b7e1d953d79a3d6b428a31b816b7a410a2b62542d7260d97b22306e9b8f67
SSDEEP

24576:VouY8YFDfePwag4UuD8fb12btPSMAs+10lDgJHuA:tYZBW4uD8fxstPSMAP10lD

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

147.45.44.139:31598

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/2964-31-0x0000000000090000-0x00000000000E2000-memory.dmp	family_redline
behavioral1/memory/2964-34-0x0000000000090000-0x00000000000E2000-memory.dmp	family_redline
behavioral1/memory/2964-33-0x0000000000090000-0x00000000000E2000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2680 created 1240	2680	Instrumental.pif	21

Executes dropped EXE 2 IoCs

pid	Process
2680	Instrumental.pif
2964	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2456	cmd.exe
2680	Instrumental.pif
2964	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2888	tasklist.exe
2684	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VisitorPage	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Instrumental.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2680	Instrumental.pif
2680	Instrumental.pif
2680	Instrumental.pif
2680	Instrumental.pif
2680	Instrumental.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	tasklist.exe
Token: SeDebugPrivilege	2684	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2680	Instrumental.pif
2680	Instrumental.pif
2680	Instrumental.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2680	Instrumental.pif
2680	Instrumental.pif
2680	Instrumental.pif

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2456	1852	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	30
PID 1852 wrote to memory of 2456	1852	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	30
PID 1852 wrote to memory of 2456	1852	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	30
PID 1852 wrote to memory of 2456	1852	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	30
PID 2456 wrote to memory of 2888	2456	cmd.exe	32
PID 2456 wrote to memory of 2888	2456	cmd.exe	32
PID 2456 wrote to memory of 2888	2456	cmd.exe	32
PID 2456 wrote to memory of 2888	2456	cmd.exe	32
PID 2456 wrote to memory of 2892	2456	cmd.exe	33
PID 2456 wrote to memory of 2892	2456	cmd.exe	33
PID 2456 wrote to memory of 2892	2456	cmd.exe	33
PID 2456 wrote to memory of 2892	2456	cmd.exe	33
PID 2456 wrote to memory of 2684	2456	cmd.exe	35
PID 2456 wrote to memory of 2684	2456	cmd.exe	35
PID 2456 wrote to memory of 2684	2456	cmd.exe	35
PID 2456 wrote to memory of 2684	2456	cmd.exe	35
PID 2456 wrote to memory of 2860	2456	cmd.exe	36
PID 2456 wrote to memory of 2860	2456	cmd.exe	36
PID 2456 wrote to memory of 2860	2456	cmd.exe	36
PID 2456 wrote to memory of 2860	2456	cmd.exe	36
PID 2456 wrote to memory of 3016	2456	cmd.exe	37
PID 2456 wrote to memory of 3016	2456	cmd.exe	37
PID 2456 wrote to memory of 3016	2456	cmd.exe	37
PID 2456 wrote to memory of 3016	2456	cmd.exe	37
PID 2456 wrote to memory of 2864	2456	cmd.exe	38
PID 2456 wrote to memory of 2864	2456	cmd.exe	38
PID 2456 wrote to memory of 2864	2456	cmd.exe	38
PID 2456 wrote to memory of 2864	2456	cmd.exe	38
PID 2456 wrote to memory of 2488	2456	cmd.exe	39
PID 2456 wrote to memory of 2488	2456	cmd.exe	39
PID 2456 wrote to memory of 2488	2456	cmd.exe	39
PID 2456 wrote to memory of 2488	2456	cmd.exe	39
PID 2456 wrote to memory of 2680	2456	cmd.exe	40
PID 2456 wrote to memory of 2680	2456	cmd.exe	40
PID 2456 wrote to memory of 2680	2456	cmd.exe	40
PID 2456 wrote to memory of 2680	2456	cmd.exe	40
PID 2456 wrote to memory of 1064	2456	cmd.exe	41
PID 2456 wrote to memory of 1064	2456	cmd.exe	41
PID 2456 wrote to memory of 1064	2456	cmd.exe	41
PID 2456 wrote to memory of 1064	2456	cmd.exe	41
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42
PID 2680 wrote to memory of 2964	2680	Instrumental.pif	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
  "C:\Users\Admin\AppData\Local\Temp\feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Kathy Kathy.cmd & Kathy.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 473722
      4⤵
      System Location Discovery: System Language Discovery
      PID:3016
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "LucasAlliedFooGraph" Armor
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Edinburgh + Elliott + Luxembourg + Calm + Circumstances + Holders 473722\f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\473722\Instrumental.pif
      Instrumental.pif f
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2680
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1064
- C:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\473722\f

Filesize
400KB

MD5
9c49b4a1f3a17bf4e3e1bc660f245e6c

SHA1
12aa8f0438d64b13c9e7d6886c9d431c89e7f95a

SHA256
06922a1830ea25238ef27d3e47d18f96a003fda2f5ac166b7134a68b180c2363

SHA512
4f931896327101250c10e3bf0d4c599714adfa73dfba4cf4e5f052d815fb6b11336044ab27e854bbf6d0452e1edb7ddb127c06013538760bc8f52f51d2c84740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Armor

Filesize
393B

MD5
539436411a91ffff5f656b26255c8626

SHA1
671cee8628e8cf7658c2705018203b6c2c77b149

SHA256
90ea0b7abbd52a052ff34a28e840821a87f36676952eb89fa50ea813d2ade6ef

SHA512
52b7926540393f9e82724d7291f438b9a58ea09128821f2847d29fdd9fc6e1334cbae26e093d321abd88052780feee358145379ffa02a6cb3858ab11f94ecab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calm

Filesize
55KB

MD5
caf941605fb0c9b10e1ac279eee961ac

SHA1
7d88fee90d42f11540810d458c73dfe41b9ab85c

SHA256
3c29f332850330bcebab673d0bd18b3313eacd7576d5cf8effd158169cca4a34

SHA512
bed8761b7644b505ca45af83391398dd3d303759779e6ba24743cf7681b5053734989a0c0a9fe586da4bfda12e2dda401cd886963d42da2896e65af1561e3227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Circumstances

Filesize
90KB

MD5
acbcde3c125a72ebd6a2ae8315f50b63

SHA1
9a1548555b64caf4b0f7e2e14a1b30e700c81552

SHA256
3cc341685fded40e7973a6918312e174f7e9ee3c9f3fd32420f2b1cb21109361

SHA512
98c8b3972715f6f3cd889ac3e7471f667ab98082a1cb5a5eb815665005e7d9e872bb8f2a2acaa97879c85cc797b48d17c86e39feaa3ea72a109928c4994d44bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edinburgh

Filesize
67KB

MD5
a2773a9de9c8deb990a654e343f1258d

SHA1
cc83f93154c2cd956ee2bbd10f974c1db7cd91c8

SHA256
b64170d3071397e910f47f9f298abc22c33841f759b8ee9d999c6a27a2a4a2c0

SHA512
e5787a49fc0ecac8a325774d15c82d2dd27be981b12550a323304a703c7a20e171d08a1a384162a7a37d8e262f8ae7776e01886b845c4d7bf1342ae59da3c164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elliott

Filesize
67KB

MD5
a9f377ceb60f84537bbaf960970cca82

SHA1
07bc24abaab9953be6018f92566b37f107e908a3

SHA256
3cf292881045f3d50364f423aca2fbd87e6f7339fe8db36568a1dd4b78a0b842

SHA512
3a30429a589776f430442b7cbbba3fb73a9891fb01e469ae59e3ee0479c90052d38223f102d1959b3b32589df8d14c13c55f765572845fbe67f2ea65b251c9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Holders

Filesize
32KB

MD5
30d6715fcb0d2ecea58ef12c55f47667

SHA1
c9db2ae4074ddb7379bbb4f6839b8321be526fa0

SHA256
0e1b8db2db7933870edaa0bccdc6a606f6e55597dde8f99638928f91728ea272

SHA512
9b7e3c1855a300b41ba965a08dfbd396337870121151822b67d1bfe8a2d8aa03d7360952dee799445c2c6ccd93ce58808534f5c891d51761e21f9ce5da0bb44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kathy

Filesize
13KB

MD5
c4981f3a5228cb7df18526017be817c6

SHA1
1c3691bfea44a197df09841784cdcaf7cbae3ec5

SHA256
d40d6e421976295250834db769af750c92012dcc88dc65507681faf6e4330c19

SHA512
21d3bc72be1b6cab6e0f85a805ab7fde23cc18d856f32b692ad6845f04fad93255b21ebffb2572543c43e8124e9b78fa79ae900bfb7145013fb305bc94d22c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keeps

Filesize
872KB

MD5
fc1fceed4119e874078b3a5fd502477d

SHA1
cddaf83c2aa7bab873ff8b9e3781c338645c81ac

SHA256
28d4a2a735bf820c7c4e48017ed1c0cbcc9351820fa561861b10f86a0022bf76

SHA512
5ec2f9c90500f8d118bc170da95caf09d88bc75f5f1f6d83866c7baa108bfaa74a4fc3d853cdf073430daae68810908514cf02dc4f6c5b5a1675efbcef34760a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxembourg

Filesize
89KB

MD5
1c809e014a5fbf2c2782f00fc96140cd

SHA1
4d35a46db91a9cd4118ed05063f5db8adc885e34

SHA256
11c9db0ee88e1de82a3a745db8d9d6acf23ad120e18cfb308ad5a538c8868f0d

SHA512
060e05889fead6912c67f1fcfb7649996a43d86768cd8f0823572884f93fb6bf50bd3fafa5dad7e3509d5e43431c38cee9675e34f89a24d837b7ec440ded7cdb

Download Submit
\Users\Admin\AppData\Local\Temp\473722\Instrumental.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2964-31-0x0000000000090000-0x00000000000E2000-memory.dmp

Filesize
328KB

Download
memory/2964-34-0x0000000000090000-0x00000000000E2000-memory.dmp

Filesize
328KB

Download
memory/2964-33-0x0000000000090000-0x00000000000E2000-memory.dmp

Filesize
328KB

Download