redline | d91af630cbb6a8c648dfbd18e181fc6b8243e7c8e9bd4fb40045e4711a797b6a

General

Target

injcetor.exe
Size

3.4MB
MD5

fd1f9974340c428b15e8bf838122326d
SHA1

c07709c671960f880c568516572b594ad5946029
SHA256

b2421dc681198079bfa3cae05c63750b3847211ab307051604c5e7e0ca2033a1
SHA512

647d9cc2d63dae6a4bfcb055b3d82bfae887fe08dfc04de6312f4a9953c64bbb2a16e225e79ee0ce1777676ab9465942e3a165a9d0feb921173858a3b4a10953
SSDEEP

24576:VQqt82oJ5L4RGVFoQ0C/Q12H0RmAdmR8dG2FAYOcy7qWDLUTk+vJ3UcDS0ScE1k9:BxyqCLQFzB5

Score

10^/10

redline @heatwins discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

@heatwins

C2

101.99.93.104:80

Attributes

auth_value
17c423c2282427bab2bc1b1703c250bf

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/166928-27-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	injcetor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	paylod.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 3 IoCs

pid	Process
2208	paylod.exe
2076	Injector.exe
167520	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 166928	2076	Injector.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	injcetor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paylod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injector.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe
Token: 33	167520	Payload.exe
Token: SeIncBasePriorityPrivilege	167520	Payload.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2208	1404	injcetor.exe	84
PID 1404 wrote to memory of 2208	1404	injcetor.exe	84
PID 1404 wrote to memory of 2208	1404	injcetor.exe	84
PID 1404 wrote to memory of 2076	1404	injcetor.exe	86
PID 1404 wrote to memory of 2076	1404	injcetor.exe	86
PID 1404 wrote to memory of 2076	1404	injcetor.exe	86
PID 2076 wrote to memory of 166928	2076	Injector.exe	88
PID 2076 wrote to memory of 166928	2076	Injector.exe	88
PID 2076 wrote to memory of 166928	2076	Injector.exe	88
PID 2076 wrote to memory of 166928	2076	Injector.exe	88
PID 2076 wrote to memory of 166928	2076	Injector.exe	88
PID 2208 wrote to memory of 167520	2208	paylod.exe	95
PID 2208 wrote to memory of 167520	2208	paylod.exe	95
PID 2208 wrote to memory of 167520	2208	paylod.exe	95
PID 2208 wrote to memory of 167536	2208	paylod.exe	96
PID 2208 wrote to memory of 167536	2208	paylod.exe	96
PID 2208 wrote to memory of 167536	2208	paylod.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
167536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\injcetor.exe
"C:\Users\Admin\AppData\Local\Temp\injcetor.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\paylod.exe
  "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:167520
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:167536
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:166928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
2.4MB

MD5
c2f46e264d6e6c397b350ecee241bb12

SHA1
0c7b42a4ec2f542c157d76e0c966cc9f64562ea4

SHA256
e525d9165ad2ed2f31946497074a8fca400302fdcaa5793d236f10bc9f3f96a6

SHA512
89e411b39c840232fb07925b5dab5cadc67a32ab96b8d7185a67af035b1c8f5d7bf4135bdfe5f4a4c47f9bf08df105eb83419e0909551585b9316134fd5539a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
d5a3d41e77a2efe51b36cd7c50e3147e

SHA1
e004473fd08db1acfc246c8e2aba67f39424a89a

SHA256
b2d807fadd65cb24fb11feabd9ec5c4725b4437eaa09232fba06c2a07159d126

SHA512
d2ba9190a0797ce2ead533c768757d158406ac85207390ce5ff5c71cc6021204dced7ad94bc331ab883fd2d8e12d29e5fdeb2c17893c0c866aa866086f2d04f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
e38961c65702dfd26fea162aee60c87f

SHA1
558b896a2bedef5e212215f8182fc971407ef2b6

SHA256
2877aed18abf5b3978396041e24b7fd0b948d6deb5c8bda577d69c30276eef05

SHA512
9c9b7a05297b1caf21ceaa627da0161fa0c825db28c0536feb80f4042b1a4b80d907f945390a9effcd8e7a0b43bc8dd6f206f28803a2596dc116f93e74ca5bbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
717c74f3329592ef829196b72e7f5eef

SHA1
04da8604181a9af55ac168b942603bfea198e6d8

SHA256
2450a0cb16780192afe74e93af15a90e31d7bf683adf6493734a9fc787e280a6

SHA512
ec5c5ca87f94a1f3f692047b45d3e9cbe2f491eb11b35f0ed6d06ef787b23ff26a7d40031fd23ffedae7f7a5602c40806c19879d60e7195959f314acf573f01c

Download Submit
memory/1404-22-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1404-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1404-2-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/1404-0-0x0000000074DE2000-0x0000000074DE3000-memory.dmp

Filesize
4KB

Download
memory/2076-26-0x00000000004B4000-0x00000000004B5000-memory.dmp

Filesize
4KB

Download
memory/2076-32-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2208-40-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/2208-19-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/2208-17-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/2208-16-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/2208-50-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/166928-33-0x0000000072ADE000-0x0000000072ADF000-memory.dmp

Filesize
4KB

Download
memory/166928-37-0x0000000007620000-0x000000000772A000-memory.dmp

Filesize
1.0MB

Download
memory/166928-38-0x0000000005B70000-0x0000000005BAC000-memory.dmp

Filesize
240KB

Download
memory/166928-39-0x0000000007830000-0x000000000787C000-memory.dmp

Filesize
304KB

Download
memory/166928-36-0x0000000005AD0000-0x0000000005AE2000-memory.dmp

Filesize
72KB

Download
memory/166928-35-0x0000000072AD0000-0x0000000073280000-memory.dmp

Filesize
7.7MB

Download
memory/166928-34-0x0000000005C90000-0x00000000062A8000-memory.dmp

Filesize
6.1MB

Download
memory/166928-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/166928-55-0x0000000072ADE000-0x0000000072ADF000-memory.dmp

Filesize
4KB

Download
memory/166928-56-0x0000000072AD0000-0x0000000073280000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads