redline | feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
Size

951KB
MD5

e530d19a769bcd90ec3e92ebf08d68e9
SHA1

ba44d592474de8fdb853f25fb364fe14a4779f74
SHA256

feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36
SHA512

36e0b6fac19955bc2cc7c629f34577d1b0897ba4b551b5b0db3c8aec62c9ee92c15b7e1d953d79a3d6b428a31b816b7a410a2b62542d7260d97b22306e9b8f67
SSDEEP

24576:VouY8YFDfePwag4UuD8fb12btPSMAs+10lDgJHuA:tYZBW4uD8fxstPSMAP10lD

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

147.45.44.139:31598

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1860-27-0x0000000000C00000-0x0000000000C52000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2640 created 3488	2640	Instrumental.pif	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	Instrumental.pif
1860	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4868	tasklist.exe
4328	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VisitorPage	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Instrumental.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	tasklist.exe
Token: SeDebugPrivilege	4328	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2640	Instrumental.pif
2640	Instrumental.pif
2640	Instrumental.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4592	2848	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	85
PID 2848 wrote to memory of 4592	2848	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	85
PID 2848 wrote to memory of 4592	2848	feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe	85
PID 4592 wrote to memory of 4868	4592	cmd.exe	89
PID 4592 wrote to memory of 4868	4592	cmd.exe	89
PID 4592 wrote to memory of 4868	4592	cmd.exe	89
PID 4592 wrote to memory of 2516	4592	cmd.exe	90
PID 4592 wrote to memory of 2516	4592	cmd.exe	90
PID 4592 wrote to memory of 2516	4592	cmd.exe	90
PID 4592 wrote to memory of 4328	4592	cmd.exe	92
PID 4592 wrote to memory of 4328	4592	cmd.exe	92
PID 4592 wrote to memory of 4328	4592	cmd.exe	92
PID 4592 wrote to memory of 1292	4592	cmd.exe	93
PID 4592 wrote to memory of 1292	4592	cmd.exe	93
PID 4592 wrote to memory of 1292	4592	cmd.exe	93
PID 4592 wrote to memory of 3896	4592	cmd.exe	94
PID 4592 wrote to memory of 3896	4592	cmd.exe	94
PID 4592 wrote to memory of 3896	4592	cmd.exe	94
PID 4592 wrote to memory of 2524	4592	cmd.exe	95
PID 4592 wrote to memory of 2524	4592	cmd.exe	95
PID 4592 wrote to memory of 2524	4592	cmd.exe	95
PID 4592 wrote to memory of 3256	4592	cmd.exe	98
PID 4592 wrote to memory of 3256	4592	cmd.exe	98
PID 4592 wrote to memory of 3256	4592	cmd.exe	98
PID 4592 wrote to memory of 2640	4592	cmd.exe	99
PID 4592 wrote to memory of 2640	4592	cmd.exe	99
PID 4592 wrote to memory of 2640	4592	cmd.exe	99
PID 4592 wrote to memory of 2916	4592	cmd.exe	100
PID 4592 wrote to memory of 2916	4592	cmd.exe	100
PID 4592 wrote to memory of 2916	4592	cmd.exe	100
PID 2640 wrote to memory of 1860	2640	Instrumental.pif	109
PID 2640 wrote to memory of 1860	2640	Instrumental.pif	109
PID 2640 wrote to memory of 1860	2640	Instrumental.pif	109
PID 2640 wrote to memory of 1860	2640	Instrumental.pif	109
PID 2640 wrote to memory of 1860	2640	Instrumental.pif	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe
  "C:\Users\Admin\AppData\Local\Temp\feb872b8a43d6a65ed3aa7e97dfa6c729c9e6fdf31ca913cbdbf2051d990fd36.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Kathy Kathy.cmd & Kathy.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4328
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 473722
      4⤵
      System Location Discovery: System Language Discovery
      PID:3896
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "LucasAlliedFooGraph" Armor
      4⤵
      System Location Discovery: System Language Discovery
      PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Edinburgh + Elliott + Luxembourg + Calm + Circumstances + Holders 473722\f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\473722\Instrumental.pif
      Instrumental.pif f
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2640
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
- C:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\473722\Instrumental.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\473722\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\473722\f

Filesize
400KB

MD5
9c49b4a1f3a17bf4e3e1bc660f245e6c

SHA1
12aa8f0438d64b13c9e7d6886c9d431c89e7f95a

SHA256
06922a1830ea25238ef27d3e47d18f96a003fda2f5ac166b7134a68b180c2363

SHA512
4f931896327101250c10e3bf0d4c599714adfa73dfba4cf4e5f052d815fb6b11336044ab27e854bbf6d0452e1edb7ddb127c06013538760bc8f52f51d2c84740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Armor

Filesize
393B

MD5
539436411a91ffff5f656b26255c8626

SHA1
671cee8628e8cf7658c2705018203b6c2c77b149

SHA256
90ea0b7abbd52a052ff34a28e840821a87f36676952eb89fa50ea813d2ade6ef

SHA512
52b7926540393f9e82724d7291f438b9a58ea09128821f2847d29fdd9fc6e1334cbae26e093d321abd88052780feee358145379ffa02a6cb3858ab11f94ecab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calm

Filesize
55KB

MD5
caf941605fb0c9b10e1ac279eee961ac

SHA1
7d88fee90d42f11540810d458c73dfe41b9ab85c

SHA256
3c29f332850330bcebab673d0bd18b3313eacd7576d5cf8effd158169cca4a34

SHA512
bed8761b7644b505ca45af83391398dd3d303759779e6ba24743cf7681b5053734989a0c0a9fe586da4bfda12e2dda401cd886963d42da2896e65af1561e3227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Circumstances

Filesize
90KB

MD5
acbcde3c125a72ebd6a2ae8315f50b63

SHA1
9a1548555b64caf4b0f7e2e14a1b30e700c81552

SHA256
3cc341685fded40e7973a6918312e174f7e9ee3c9f3fd32420f2b1cb21109361

SHA512
98c8b3972715f6f3cd889ac3e7471f667ab98082a1cb5a5eb815665005e7d9e872bb8f2a2acaa97879c85cc797b48d17c86e39feaa3ea72a109928c4994d44bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edinburgh

Filesize
67KB

MD5
a2773a9de9c8deb990a654e343f1258d

SHA1
cc83f93154c2cd956ee2bbd10f974c1db7cd91c8

SHA256
b64170d3071397e910f47f9f298abc22c33841f759b8ee9d999c6a27a2a4a2c0

SHA512
e5787a49fc0ecac8a325774d15c82d2dd27be981b12550a323304a703c7a20e171d08a1a384162a7a37d8e262f8ae7776e01886b845c4d7bf1342ae59da3c164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elliott

Filesize
67KB

MD5
a9f377ceb60f84537bbaf960970cca82

SHA1
07bc24abaab9953be6018f92566b37f107e908a3

SHA256
3cf292881045f3d50364f423aca2fbd87e6f7339fe8db36568a1dd4b78a0b842

SHA512
3a30429a589776f430442b7cbbba3fb73a9891fb01e469ae59e3ee0479c90052d38223f102d1959b3b32589df8d14c13c55f765572845fbe67f2ea65b251c9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Holders

Filesize
32KB

MD5
30d6715fcb0d2ecea58ef12c55f47667

SHA1
c9db2ae4074ddb7379bbb4f6839b8321be526fa0

SHA256
0e1b8db2db7933870edaa0bccdc6a606f6e55597dde8f99638928f91728ea272

SHA512
9b7e3c1855a300b41ba965a08dfbd396337870121151822b67d1bfe8a2d8aa03d7360952dee799445c2c6ccd93ce58808534f5c891d51761e21f9ce5da0bb44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kathy

Filesize
13KB

MD5
c4981f3a5228cb7df18526017be817c6

SHA1
1c3691bfea44a197df09841784cdcaf7cbae3ec5

SHA256
d40d6e421976295250834db769af750c92012dcc88dc65507681faf6e4330c19

SHA512
21d3bc72be1b6cab6e0f85a805ab7fde23cc18d856f32b692ad6845f04fad93255b21ebffb2572543c43e8124e9b78fa79ae900bfb7145013fb305bc94d22c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keeps

Filesize
872KB

MD5
fc1fceed4119e874078b3a5fd502477d

SHA1
cddaf83c2aa7bab873ff8b9e3781c338645c81ac

SHA256
28d4a2a735bf820c7c4e48017ed1c0cbcc9351820fa561861b10f86a0022bf76

SHA512
5ec2f9c90500f8d118bc170da95caf09d88bc75f5f1f6d83866c7baa108bfaa74a4fc3d853cdf073430daae68810908514cf02dc4f6c5b5a1675efbcef34760a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxembourg

Filesize
89KB

MD5
1c809e014a5fbf2c2782f00fc96140cd

SHA1
4d35a46db91a9cd4118ed05063f5db8adc885e34

SHA256
11c9db0ee88e1de82a3a745db8d9d6acf23ad120e18cfb308ad5a538c8868f0d

SHA512
060e05889fead6912c67f1fcfb7649996a43d86768cd8f0823572884f93fb6bf50bd3fafa5dad7e3509d5e43431c38cee9675e34f89a24d837b7ec440ded7cdb

Download Submit
memory/1860-27-0x0000000000C00000-0x0000000000C52000-memory.dmp

Filesize
328KB

Download
memory/1860-30-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/1860-31-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/1860-32-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/1860-33-0x0000000006370000-0x0000000006988000-memory.dmp

Filesize
6.1MB

Download
memory/1860-34-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/1860-35-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/1860-36-0x0000000005590000-0x00000000055CC000-memory.dmp

Filesize
240KB

Download
memory/1860-37-0x0000000005720000-0x000000000576C000-memory.dmp

Filesize
304KB

Download