redline | cc9061f5aa0a3be490e90be334be74e025bc7fd28a55ac3e68aeded57f482e72

General

Target

5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
Size

1.8MB
MD5

d59be142eb273dd2c2475932ea507be9
SHA1

778922a0c3449b856f1b655866fb80542277e4fa
SHA256

5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373
SHA512

a65cd3061b2533d1cab10df6e7157cce8983fb1b94e30137e9ccb4cb6bad08fab4b587030e5225e17914ae8bab02add30629fd9c872274d34ed69cbdc4c92fce
SSDEEP

49152:V5OSyRh7E/kByJ4g3AVm5c3+12bk7vRDB3VwMylYZRD:V5yRh75W4wAycuQbk1FFwvYv

Score

10^/10

redline logsdiller cloud (tg: @logsdillabot)discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

51.210.137.6:47909

Attributes

auth_value
3a050df92d0cf082b2cdaf87863616be

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1188-17-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	123.exe
4048	321.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 1188	2376	123.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4236	2376	WerFault.exe	84
1812	2376	WerFault.exe	84
3176	2376	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5108	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2376	2312	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe	84
PID 2312 wrote to memory of 2376	2312	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe	84
PID 2312 wrote to memory of 2376	2312	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe	84
PID 2312 wrote to memory of 4048	2312	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe	87
PID 2312 wrote to memory of 4048	2312	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe	87
PID 2312 wrote to memory of 4048	2312	5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe	87
PID 4048 wrote to memory of 5108	4048	321.exe	92
PID 4048 wrote to memory of 5108	4048	321.exe	92
PID 4048 wrote to memory of 5108	4048	321.exe	92
PID 2376 wrote to memory of 1188	2376	123.exe	96
PID 2376 wrote to memory of 1188	2376	123.exe	96
PID 2376 wrote to memory of 1188	2376	123.exe	96
PID 2376 wrote to memory of 1188	2376	123.exe	96
PID 2376 wrote to memory of 1188	2376	123.exe	96

C:\Users\Admin\AppData\Local\Temp\5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe
"C:\Users\Admin\AppData\Local\Temp\5aa72ffbc299f8ebe8ead4e520cd19faa66ab9ef872a0fc38dda11fd76a23373.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\Temp\123.exe
  "C:\Windows\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 236
    3⤵
    - Program crash
    PID:4236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 240
    3⤵
    - Program crash
    PID:1812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 280
    3⤵
    - Program crash
    PID:3176
- C:\Windows\Temp\321.exe
  "C:\Windows\Temp\321.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 2376
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2376 -ip 2376
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2376 -ip 2376
1⤵
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\123.exe

Filesize
277KB

MD5
139bd936a6adeb2b74a181c601247ae8

SHA1
56c9287350a3ee85d3ac53e2035c888960553cb9

SHA256
bab411dae143f5b27889ead75f9b6136320815ee8a0051bec80a0e24b38248f7

SHA512
c24e986fb0461f8e9b51f76f4b9caaf3e9038f8620dda2b082bda524df758678b6cf210775c5e35e288d4104e0ebd110583df6986e2be77bb3902e5798b29d5a

Download Submit
C:\Windows\Temp\321.exe

Filesize
2.5MB

MD5
dcfaf070a6a9f794614f015be1a4288d

SHA1
8516855f7202ec5ebf010d30e591149bd249f60e

SHA256
32a8cd30c365f2e24302b0fce7fdcc6300cbbabb8ffe99247612411774be49b5

SHA512
52979a0716f1956f889fa62212ba4923cd869011c190b80679343f01b9d6160cbb1067bbbd281688c7f0936fe5d4304c61854aaa167e0d7f79a9e511f51a80fc

Download Submit
memory/1188-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1188-22-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/1188-23-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/1188-24-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/1188-25-0x00000000054E0000-0x000000000551C000-memory.dmp

Filesize
240KB

Download
memory/1188-26-0x0000000005660000-0x00000000056AC000-memory.dmp

Filesize
304KB

Download
memory/4048-27-0x00000000008E0000-0x0000000000B71000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing