redline | 3307062c28428650267d61ad282295e38d5d2f4d2a033824ecfe302cdcc4be3b

General

Target

Fn Cheat Cracked/fn (1).exe
Size

6.1MB
MD5

75104ebb7b59d1cee81ee9855b0bfa0c
SHA1

122d4239f5e838c40a905bf8ee4270d2e7526367
SHA256

1cd7a63a349eacea2579932f9fdf40edf2eb57b62b76b18a92c1b7d0c82c81e0
SHA512

d9aebd3fc23ee26e6135b3b1607c2450c2a837aa383c24cd056ad63e1df7a5dfdc072a6f4f3654008d15d81eee339b25fb9e638a27eabf8bd314825a6c96de53
SSDEEP

196608:l4wCflR0SjSDiQckcU+PDF/5/ohgY/aULW:l4w86XcU+55AhgYrW

Score

10^/10

redline xred ingles backdoor discovery infostealer persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

redline

Botnet

ingles

C2

20.47.120.249:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe	family_redline
behavioral3/memory/3168-151-0x0000000000680000-0x00000000006D2000-memory.dmp	family_redline

Redline family
redline
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synaptics.exefn (1).exebuild.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fn (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	build.exe

Executes dropped EXE 5 IoCs

Processes:

build.exefn (1).exe._cache_build.exeSynaptics.exe._cache_Synaptics.exe

pid process

496 build.exe
2080 fn (1).exe
3168 ._cache_build.exe
4964 Synaptics.exe
1276 ._cache_Synaptics.exe

pid	process
496	build.exe
2080	fn (1).exe
3168	._cache_build.exe
4964	Synaptics.exe
1276	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	build.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
14	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_Synaptics.exebuild.exe._cache_build.exeSynaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Modifies registry class 2 IoCs

Processes:

Synaptics.exebuild.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	build.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4448 EXCEL.EXE

pid	process
4448	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

fn (1).exe

pid	process
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe
4996	fn (1).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fn (1).exe

description pid process

Token: SeDebugPrivilege 4996 fn (1).exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

4448 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	4996	fn (1).exe

pid	process
4448	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

fn (1).exebuild.exeSynaptics.exe

description	pid	process	target process
PID 4996 wrote to memory of 496	4996	fn (1).exe	build.exe
PID 4996 wrote to memory of 496	4996	fn (1).exe	build.exe
PID 4996 wrote to memory of 496	4996	fn (1).exe	build.exe
PID 4996 wrote to memory of 2080	4996	fn (1).exe	fn (1).exe
PID 4996 wrote to memory of 2080	4996	fn (1).exe	fn (1).exe
PID 496 wrote to memory of 3168	496	build.exe	._cache_build.exe
PID 496 wrote to memory of 3168	496	build.exe	._cache_build.exe
PID 496 wrote to memory of 3168	496	build.exe	._cache_build.exe
PID 496 wrote to memory of 4964	496	build.exe	Synaptics.exe
PID 496 wrote to memory of 4964	496	build.exe	Synaptics.exe
PID 496 wrote to memory of 4964	496	build.exe	Synaptics.exe
PID 4964 wrote to memory of 1276	4964	Synaptics.exe	._cache_Synaptics.exe
PID 4964 wrote to memory of 1276	4964	Synaptics.exe	._cache_Synaptics.exe
PID 4964 wrote to memory of 1276	4964	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\fn (1).exe
"C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\fn (1).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe
    "C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3168
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1276
- C:\Users\Admin\AppData\Local\Temp\fn (1).exe
  "C:\Users\Admin\AppData\Local\Temp\fn (1).exe"
  2⤵
  - Executes dropped EXE
  PID:2080

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99085E00

Filesize
22KB

MD5
bbe6dadca05b03ba0cf618bb62e1ab57

SHA1
7209d07bdc5fe90354192747babb1a800e354ef7

SHA256
598790c14eee82856b68b2216c7f347d8168d4515da5fbb971d0f45bb84afde3

SHA512
58a593917442d35505db08ad046ce1075cd995a445dfde3e0d9f709f929133a71815d1a6778620b2d7d58e930589afdc9180e8e9e71205c6d5b9369b854b41e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe

Filesize
300KB

MD5
1fd9c2646e5231884580f1f5db2103ee

SHA1
863a8086c6b6f7aea54d1e75477b92fa8f66bdc9

SHA256
b8f24a63a377011781bac73c4c9a38c750e862a10a44f28149835d7250d01037

SHA512
da57d0f75d6842100a8bc10e7d25ac8afe5d136904acd1f81fa36d51f2ae87e87db61cdd673401b47a356c86df82c65d6558d2bac749f247e889ab6239d8ea16

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
1.1MB

MD5
d02039cea2b82cf96f379bbca2037ce5

SHA1
dc34845f3ea828a9491e51c6d24f36a81f31fbcf

SHA256
bb052e34b833b6f6cd633582c8327bcbe047ec7c6fb92c5779333e4ce64a31a2

SHA512
d0f61c70267ce87961b83d08bca7c78541cea1deafed4a9f85374eba44a40e0d23c900f8124d4cd0dbfd13dd47033b234ece5c1dec0851b2f980696c186397a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fH6svR2M.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn (1).exe

Filesize
5.6MB

MD5
4c34798a036175206dd7bb6e643ac5ff

SHA1
b1d3514ef4baa70ccdd570503e694c2f029502c3

SHA256
cb40c1ca95c625a765998497d9ff01cbf34fa5af1fa7f382f5d91276dcf25087

SHA512
1052718ecbf5312519833fcafd72e395832883ab6297eabe1bbf96d19bf03095d604fdaa178079af8ce26cb7238a6f4274e493527f4798a389690c231c6c5026

Download Submit
memory/496-150-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1276-279-0x0000000007770000-0x00000000077C0000-memory.dmp

Filesize
320KB

Download
memory/1276-278-0x0000000008160000-0x000000000868C000-memory.dmp

Filesize
5.2MB

Download
memory/1276-277-0x0000000007A60000-0x0000000007C22000-memory.dmp

Filesize
1.8MB

Download
memory/2080-22-0x00007FF7B4460000-0x00007FF7B523B000-memory.dmp

Filesize
13.9MB

Download
memory/3168-209-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/3168-153-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/3168-166-0x00000000061B0000-0x00000000067C8000-memory.dmp

Filesize
6.1MB

Download
memory/3168-206-0x0000000005B90000-0x0000000005C9A000-memory.dmp

Filesize
1.0MB

Download
memory/3168-207-0x0000000005270000-0x0000000005282000-memory.dmp

Filesize
72KB

Download
memory/3168-208-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/3168-156-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/3168-151-0x0000000000680000-0x00000000006D2000-memory.dmp

Filesize
328KB

Download
memory/3168-152-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/3168-257-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/4448-224-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4448-221-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4448-225-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4448-226-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

Filesize
64KB

Download
memory/4448-227-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

Filesize
64KB

Download
memory/4448-222-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4448-223-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

Filesize
64KB

Download
memory/4996-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

Filesize
8KB

Download
memory/4996-232-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/4996-220-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

Filesize
8KB

Download
memory/4996-2-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/4996-1-0x0000000000600000-0x0000000000C24000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads