redline | d91af630cbb6a8c648dfbd18e181fc6b8243e7c8e9bd4fb40045e4711a797b6a

General

Target

injcetor.exe
Size

3.4MB
MD5

fd1f9974340c428b15e8bf838122326d
SHA1

c07709c671960f880c568516572b594ad5946029
SHA256

b2421dc681198079bfa3cae05c63750b3847211ab307051604c5e7e0ca2033a1
SHA512

647d9cc2d63dae6a4bfcb055b3d82bfae887fe08dfc04de6312f4a9953c64bbb2a16e225e79ee0ce1777676ab9465942e3a165a9d0feb921173858a3b4a10953
SSDEEP

24576:VQqt82oJ5L4RGVFoQ0C/Q12H0RmAdmR8dG2FAYOcy7qWDLUTk+vJ3UcDS0ScE1k9:BxyqCLQFzB5

Score

10^/10

redline @heatwins discovery infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

@heatwins

C2

101.99.93.104:80

Attributes

auth_value
17c423c2282427bab2bc1b1703c250bf

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/176372-24-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

paylod.exeinjcetor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	paylod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	injcetor.exe

Drops startup file 4 IoCs

Processes:

Payload.exepaylod.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe

Executes dropped EXE 3 IoCs

Processes:

paylod.exeInjector.exePayload.exe

pid process

2456 paylod.exe
4484 Injector.exe
3192 Payload.exe

pid	process
2456	paylod.exe
4484	Injector.exe
3192	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

paylod.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Injector.exe

description pid process target process

PID 4484 set thread context of 176372 4484 Injector.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4484 set thread context of 176372	4484	Injector.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AppLaunch.exePayload.exeattrib.exeinjcetor.exepaylod.exeInjector.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	injcetor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paylod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injector.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe
Token: 33	3192	Payload.exe
Token: SeIncBasePriorityPrivilege	3192	Payload.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

injcetor.exeInjector.exepaylod.exe

description	pid	process	target process
PID 5032 wrote to memory of 2456	5032	injcetor.exe	paylod.exe
PID 5032 wrote to memory of 2456	5032	injcetor.exe	paylod.exe
PID 5032 wrote to memory of 2456	5032	injcetor.exe	paylod.exe
PID 5032 wrote to memory of 4484	5032	injcetor.exe	Injector.exe
PID 5032 wrote to memory of 4484	5032	injcetor.exe	Injector.exe
PID 5032 wrote to memory of 4484	5032	injcetor.exe	Injector.exe
PID 4484 wrote to memory of 176372	4484	Injector.exe	AppLaunch.exe
PID 4484 wrote to memory of 176372	4484	Injector.exe	AppLaunch.exe
PID 4484 wrote to memory of 176372	4484	Injector.exe	AppLaunch.exe
PID 4484 wrote to memory of 176372	4484	Injector.exe	AppLaunch.exe
PID 4484 wrote to memory of 176372	4484	Injector.exe	AppLaunch.exe
PID 2456 wrote to memory of 3192	2456	paylod.exe	Payload.exe
PID 2456 wrote to memory of 3192	2456	paylod.exe	Payload.exe
PID 2456 wrote to memory of 3192	2456	paylod.exe	Payload.exe
PID 2456 wrote to memory of 4912	2456	paylod.exe	attrib.exe
PID 2456 wrote to memory of 4912	2456	paylod.exe	attrib.exe
PID 2456 wrote to memory of 4912	2456	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4912 attrib.exe

pid	process
4912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\injcetor.exe
"C:\Users\Admin\AppData\Local\Temp\injcetor.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Users\Admin\AppData\Local\Temp\paylod.exe
  "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4912
- C:\Users\Admin\AppData\Local\Temp\Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:176372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
2.4MB

MD5
c2f46e264d6e6c397b350ecee241bb12

SHA1
0c7b42a4ec2f542c157d76e0c966cc9f64562ea4

SHA256
e525d9165ad2ed2f31946497074a8fca400302fdcaa5793d236f10bc9f3f96a6

SHA512
89e411b39c840232fb07925b5dab5cadc67a32ab96b8d7185a67af035b1c8f5d7bf4135bdfe5f4a4c47f9bf08df105eb83419e0909551585b9316134fd5539a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
d5a3d41e77a2efe51b36cd7c50e3147e

SHA1
e004473fd08db1acfc246c8e2aba67f39424a89a

SHA256
b2d807fadd65cb24fb11feabd9ec5c4725b4437eaa09232fba06c2a07159d126

SHA512
d2ba9190a0797ce2ead533c768757d158406ac85207390ce5ff5c71cc6021204dced7ad94bc331ab883fd2d8e12d29e5fdeb2c17893c0c866aa866086f2d04f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
1510fb60181a9e71cf2d880581b1ebc2

SHA1
d57c13358e1a7413047deada6804c352fbe42d2c

SHA256
ee6809bb22194dbbd69b8c27df0dd8e177c8efc402df6bcea85c317e826f9aee

SHA512
3513e76edc7da6176a151170267061c0299934e8bb70574d7cd1326458e501f0ab476a37408614c151de6b319cddbdfb1afd71411c487f9b95120f0dec7a2923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
a64741d0867eef64d911658f5ad85ab4

SHA1
46ae97bf28531c34b7107e2d26c027d84559c66a

SHA256
4ad2b1174afcd8bc7635ac05fe4232f67bc2f543f6f7b03d88ba03944e5a104a

SHA512
c298309bddf16ece573e396450d97c35aa7c6ff11c63651343a74c52c399a62fa92f44d860bcd782eb2f82ccc332c662e0d78a2521ffaf671ad73fbfe955b017

Download Submit
memory/2456-37-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/2456-15-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/2456-47-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-23-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-29-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/5032-1-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/5032-19-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/5032-0-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/176372-31-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/176372-34-0x0000000007BB0000-0x0000000007CBA000-memory.dmp

Filesize
1.0MB

Download
memory/176372-35-0x0000000007CC0000-0x0000000007CFC000-memory.dmp

Filesize
240KB

Download
memory/176372-36-0x0000000007D80000-0x0000000007DCC000-memory.dmp

Filesize
304KB

Download
memory/176372-33-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

Filesize
72KB

Download
memory/176372-32-0x0000000006120000-0x0000000006738000-memory.dmp

Filesize
6.1MB

Download
memory/176372-30-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download
memory/176372-24-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/176372-52-0x00007FFD5FBF0000-0x00007FFD5FDE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads