redline | 3307062c28428650267d61ad282295e38d5d2f4d2a033824ecfe302cdcc4be3b

General

Target

Fn Cheat Cracked/fn (1).exe
Size

6.1MB
MD5

75104ebb7b59d1cee81ee9855b0bfa0c
SHA1

122d4239f5e838c40a905bf8ee4270d2e7526367
SHA256

1cd7a63a349eacea2579932f9fdf40edf2eb57b62b76b18a92c1b7d0c82c81e0
SHA512

d9aebd3fc23ee26e6135b3b1607c2450c2a837aa383c24cd056ad63e1df7a5dfdc072a6f4f3654008d15d81eee339b25fb9e638a27eabf8bd314825a6c96de53
SSDEEP

196608:l4wCflR0SjSDiQckcU+PDF/5/ohgY/aULW:l4w86XcU+55AhgYrW

Score

10^/10

redline xred ingles backdoor discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

ingles

C2

20.47.120.249:1912

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe	family_redline
behavioral4/memory/1784-49-0x0000000000BF0000-0x0000000000C42000-memory.dmp	family_redline
behavioral4/memory/2092-58-0x00000000003C0000-0x0000000000412000-memory.dmp	family_redline

Redline family
redline
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Executes dropped EXE 5 IoCs

Processes:

build.exefn (1).exe._cache_build.exeSynaptics.exe._cache_Synaptics.exe

pid process

2796 build.exe
2952 fn (1).exe
1784 ._cache_build.exe
2860 Synaptics.exe
2092 ._cache_Synaptics.exe
Loads dropped DLL 7 IoCs

Processes:

fn (1).exebuild.exeSynaptics.exe

pid process

1720 fn (1).exe
2796 build.exe
2796 build.exe
2796 build.exe
2796 build.exe
2860 Synaptics.exe
2860 Synaptics.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2796	build.exe
2952	fn (1).exe
1784	._cache_build.exe
2860	Synaptics.exe
2092	._cache_Synaptics.exe

pid	process
1720	fn (1).exe
2796	build.exe
2796	build.exe
2796	build.exe
2796	build.exe
2860	Synaptics.exe
2860	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	build.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

build.exe._cache_build.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

924 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

fn (1).exe._cache_Synaptics.exe._cache_build.exe

pid process

1720 fn (1).exe
1720 fn (1).exe
1720 fn (1).exe
2092 ._cache_Synaptics.exe
1784 ._cache_build.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
924	EXCEL.EXE

pid	process
1720	fn (1).exe
1720	fn (1).exe
1720	fn (1).exe
2092	._cache_Synaptics.exe
1784	._cache_build.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fn (1).exe._cache_Synaptics.exe._cache_build.exe

description	pid	process
Token: SeDebugPrivilege	1720	fn (1).exe
Token: SeDebugPrivilege	2092	._cache_Synaptics.exe
Token: SeDebugPrivilege	1784	._cache_build.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

924 EXCEL.EXE

pid	process
924	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

fn (1).exebuild.exeSynaptics.exe

description	pid	process	target process
PID 1720 wrote to memory of 2796	1720	fn (1).exe	build.exe
PID 1720 wrote to memory of 2796	1720	fn (1).exe	build.exe
PID 1720 wrote to memory of 2796	1720	fn (1).exe	build.exe
PID 1720 wrote to memory of 2796	1720	fn (1).exe	build.exe
PID 1720 wrote to memory of 2952	1720	fn (1).exe	fn (1).exe
PID 1720 wrote to memory of 2952	1720	fn (1).exe	fn (1).exe
PID 1720 wrote to memory of 2952	1720	fn (1).exe	fn (1).exe
PID 2796 wrote to memory of 1784	2796	build.exe	._cache_build.exe
PID 2796 wrote to memory of 1784	2796	build.exe	._cache_build.exe
PID 2796 wrote to memory of 1784	2796	build.exe	._cache_build.exe
PID 2796 wrote to memory of 1784	2796	build.exe	._cache_build.exe
PID 2796 wrote to memory of 2860	2796	build.exe	Synaptics.exe
PID 2796 wrote to memory of 2860	2796	build.exe	Synaptics.exe
PID 2796 wrote to memory of 2860	2796	build.exe	Synaptics.exe
PID 2796 wrote to memory of 2860	2796	build.exe	Synaptics.exe
PID 2860 wrote to memory of 2092	2860	Synaptics.exe	._cache_Synaptics.exe
PID 2860 wrote to memory of 2092	2860	Synaptics.exe	._cache_Synaptics.exe
PID 2860 wrote to memory of 2092	2860	Synaptics.exe	._cache_Synaptics.exe
PID 2860 wrote to memory of 2092	2860	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\fn (1).exe
"C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\fn (1).exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe
    "C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- C:\Users\Admin\AppData\Local\Temp\fn (1).exe
  "C:\Users\Admin\AppData\Local\Temp\fn (1).exe"
  2⤵
  - Executes dropped EXE
  PID:2952

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FkAvMiL5.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkAvMiL5.xlsm

Filesize
24KB

MD5
3d31a57d0c1ba793743da691a99c9134

SHA1
d91bf6e9a768dded8e126fbb5840344a5bb13412

SHA256
e60f8afb97923e1a35fa28538e60aaa12fc905039b85b827bafe86d01f749512

SHA512
5022a46eeba667c286e6734f2a615c4dae99fa114730d499a06fd04f746fe343b0fe847b4a24e638f260585c5ca77cd5653f2f5f1feead973d0e665413e88c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
1.1MB

MD5
d02039cea2b82cf96f379bbca2037ce5

SHA1
dc34845f3ea828a9491e51c6d24f36a81f31fbcf

SHA256
bb052e34b833b6f6cd633582c8327bcbe047ec7c6fb92c5779333e4ce64a31a2

SHA512
d0f61c70267ce87961b83d08bca7c78541cea1deafed4a9f85374eba44a40e0d23c900f8124d4cd0dbfd13dd47033b234ece5c1dec0851b2f980696c186397a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn (1).exe

Filesize
5.6MB

MD5
4c34798a036175206dd7bb6e643ac5ff

SHA1
b1d3514ef4baa70ccdd570503e694c2f029502c3

SHA256
cb40c1ca95c625a765998497d9ff01cbf34fa5af1fa7f382f5d91276dcf25087

SHA512
1052718ecbf5312519833fcafd72e395832883ab6297eabe1bbf96d19bf03095d604fdaa178079af8ce26cb7238a6f4274e493527f4798a389690c231c6c5026

Download Submit
\Users\Admin\AppData\Local\Temp\Fn Cheat Cracked\._cache_build.exe

Filesize
300KB

MD5
1fd9c2646e5231884580f1f5db2103ee

SHA1
863a8086c6b6f7aea54d1e75477b92fa8f66bdc9

SHA256
b8f24a63a377011781bac73c4c9a38c750e862a10a44f28149835d7250d01037

SHA512
da57d0f75d6842100a8bc10e7d25ac8afe5d136904acd1f81fa36d51f2ae87e87db61cdd673401b47a356c86df82c65d6558d2bac749f247e889ab6239d8ea16

Download Submit
memory/924-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-18-0x000000013FC80000-0x0000000140A5B000-memory.dmp

Filesize
13.9MB

Download
memory/1720-1-0x0000000000240000-0x0000000000864000-memory.dmp

Filesize
6.1MB

Download
memory/1720-20-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/1784-49-0x0000000000BF0000-0x0000000000C42000-memory.dmp

Filesize
328KB

Download
memory/2092-58-0x00000000003C0000-0x0000000000412000-memory.dmp

Filesize
328KB

Download
memory/2796-46-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2796-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2860-63-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2860-104-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2860-105-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2860-137-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2952-19-0x000000013FC80000-0x0000000140A5B000-memory.dmp

Filesize
13.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads