redline | bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372

Analysis

max time kernel
106s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe
Size

2.3MB
MD5

2dee285e0dfc56b423c87de5e33407ce
SHA1

2ae1082d75469390df22b0fb31568e2a9c5c1a24
SHA256

bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372
SHA512

f6001e9542929923fb4b3e1d1218a66b25103a84b46756dd89d3b70b5fcad919cd8eade98a881ea291a7fea9a596a43b40c8c2757012a46564a7cafc419c866d
SSDEEP

49152:H5+hFHxq1JcJ05gwY7xnXst4sQWKh+BH8gjlPh4Tcaxiz8lVHTIioOFZQ+t:H5aFRqxl6hyHHa+BH1jngcaxiqZ7t

Score

10^/10

redline @normhhd discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@normhhd

62.182.156.24:12780

Attributes

auth_value
bb67ccc49d44343128ca161d7fe51029

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023baa-82.dat	family_redline
behavioral2/memory/2068-83-0x0000000000940000-0x0000000000960000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe

Executes dropped EXE 12 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe@normhhd.exe

pid	Process
2288	7z.exe
1924	7z.exe
2380	7z.exe
4440	7z.exe
508	7z.exe
4544	7z.exe
3976	7z.exe
3788	7z.exe
3536	7z.exe
380	7z.exe
2928	7z.exe
2068	@normhhd.exe

Loads dropped DLL 11 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	Process
2288	7z.exe
1924	7z.exe
2380	7z.exe
4440	7z.exe
508	7z.exe
4544	7z.exe
3976	7z.exe
3788	7z.exe
3536	7z.exe
380	7z.exe
2928	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe@normhhd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@normhhd.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

description	pid	Process
Token: SeRestorePrivilege	2288	7z.exe
Token: 35	2288	7z.exe
Token: SeSecurityPrivilege	2288	7z.exe
Token: SeSecurityPrivilege	2288	7z.exe
Token: SeRestorePrivilege	1924	7z.exe
Token: 35	1924	7z.exe
Token: SeSecurityPrivilege	1924	7z.exe
Token: SeSecurityPrivilege	1924	7z.exe
Token: SeRestorePrivilege	2380	7z.exe
Token: 35	2380	7z.exe
Token: SeSecurityPrivilege	2380	7z.exe
Token: SeSecurityPrivilege	2380	7z.exe
Token: SeRestorePrivilege	4440	7z.exe
Token: 35	4440	7z.exe
Token: SeSecurityPrivilege	4440	7z.exe
Token: SeSecurityPrivilege	4440	7z.exe
Token: SeRestorePrivilege	508	7z.exe
Token: 35	508	7z.exe
Token: SeSecurityPrivilege	508	7z.exe
Token: SeSecurityPrivilege	508	7z.exe
Token: SeRestorePrivilege	4544	7z.exe
Token: 35	4544	7z.exe
Token: SeSecurityPrivilege	4544	7z.exe
Token: SeSecurityPrivilege	4544	7z.exe
Token: SeRestorePrivilege	3976	7z.exe
Token: 35	3976	7z.exe
Token: SeSecurityPrivilege	3976	7z.exe
Token: SeSecurityPrivilege	3976	7z.exe
Token: SeRestorePrivilege	3788	7z.exe
Token: 35	3788	7z.exe
Token: SeSecurityPrivilege	3788	7z.exe
Token: SeSecurityPrivilege	3788	7z.exe
Token: SeRestorePrivilege	3536	7z.exe
Token: 35	3536	7z.exe
Token: SeSecurityPrivilege	3536	7z.exe
Token: SeSecurityPrivilege	3536	7z.exe
Token: SeRestorePrivilege	380	7z.exe
Token: 35	380	7z.exe
Token: SeSecurityPrivilege	380	7z.exe
Token: SeSecurityPrivilege	380	7z.exe
Token: SeRestorePrivilege	2928	7z.exe
Token: 35	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.execmd.exe

description	pid	Process	procid_target
PID 208 wrote to memory of 2680	208	bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe	83
PID 208 wrote to memory of 2680	208	bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe	83
PID 2680 wrote to memory of 1848	2680	cmd.exe	85
PID 2680 wrote to memory of 1848	2680	cmd.exe	85
PID 2680 wrote to memory of 2288	2680	cmd.exe	86
PID 2680 wrote to memory of 2288	2680	cmd.exe	86
PID 2680 wrote to memory of 1924	2680	cmd.exe	87
PID 2680 wrote to memory of 1924	2680	cmd.exe	87
PID 2680 wrote to memory of 2380	2680	cmd.exe	88
PID 2680 wrote to memory of 2380	2680	cmd.exe	88
PID 2680 wrote to memory of 4440	2680	cmd.exe	89
PID 2680 wrote to memory of 4440	2680	cmd.exe	89
PID 2680 wrote to memory of 508	2680	cmd.exe	90
PID 2680 wrote to memory of 508	2680	cmd.exe	90
PID 2680 wrote to memory of 4544	2680	cmd.exe	91
PID 2680 wrote to memory of 4544	2680	cmd.exe	91
PID 2680 wrote to memory of 3976	2680	cmd.exe	92
PID 2680 wrote to memory of 3976	2680	cmd.exe	92
PID 2680 wrote to memory of 3788	2680	cmd.exe	93
PID 2680 wrote to memory of 3788	2680	cmd.exe	93
PID 2680 wrote to memory of 3536	2680	cmd.exe	94
PID 2680 wrote to memory of 3536	2680	cmd.exe	94
PID 2680 wrote to memory of 380	2680	cmd.exe	95
PID 2680 wrote to memory of 380	2680	cmd.exe	95
PID 2680 wrote to memory of 2928	2680	cmd.exe	96
PID 2680 wrote to memory of 2928	2680	cmd.exe	96
PID 2680 wrote to memory of 2484	2680	cmd.exe	97
PID 2680 wrote to memory of 2484	2680	cmd.exe	97
PID 2680 wrote to memory of 2068	2680	cmd.exe	98
PID 2680 wrote to memory of 2068	2680	cmd.exe	98
PID 2680 wrote to memory of 2068	2680	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2484	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe
"C:\Users\Admin\AppData\Local\Temp\bcfed879203a5412d56e9fa0b18cb2ba39ec70b35241215fdffcb145ec64d372.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________4167pwd23162pwd24256pwd3899pwd21523pwd6183pwd5060___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:508
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\attrib.exe
    attrib +H "@normhhd.exe"
    3⤵
    - Views/modifies file attributes
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\main\@normhhd.exe
    "@normhhd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\@normhhd.exe

Filesize
104KB

MD5
d62aa042df33a547e8285b3ecd32ecd2

SHA1
1f0b1039b8ac46c445d74fad6d072a73129ff740

SHA256
6e7b7247eb14418b43d9ac257e3b1600e428c66010ddfc6f34f51c5b0b86a6a4

SHA512
0de47d94bd894518d695e955eb8a4917c867ecc8732613e688989dd1e38294152398fb7d5300e67f46620c5509530d91c4b4ab238b19b07085cb5f87534b3930

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
5e2fb08e59b7efe2bd28f55206cb9daf

SHA1
f906c3263aa09bc6a57b76032ad4f72b75944c02

SHA256
9df4a6b489ff097789f275822f7a7d63606c254db3af4ecb1ed143e64f18a2c3

SHA512
e107d5e29f8a1bde0a38180a31185f8d6f39aa12e47622330fdecb0a7635cfa7da1ce053840dbe99062c61339c94b1126bea9b973e51a7ba76d27e9ab622a196

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
43KB

MD5
0a27e7638db4cec0b87ceaae07dfb208

SHA1
536af2de69ac9a03e1e10b3b8ac044be4ff72a22

SHA256
e4da2a07234c1a916865f67584d9204bd52a8c9aa7720cb4875f059d1c799edf

SHA512
e16361c467aabb8885c14d88d1c762634ea31e55766714fa5f3d46f9ae2838a804b4729e58cc2905c83ea1aff1ae278eb0a02c6bfbc3f2e907de80364c430d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
1.6MB

MD5
c5e94de79269bc96d05151025867592f

SHA1
089d3b402f0a477bf527268763c189e4c4d2f6aa

SHA256
cb3cacd0dfd5785f9c5d594cc2ba75216b9d0e786cfca39e72bd5f62311a5d08

SHA512
5f3801af1659afea30003ba411db86e93d21f77638047fb2968e3b5e895520096bbb614cec8b01489e3a2c9ca59690f780abc3e1d0b6a69796f3601436f64545

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
43KB

MD5
14dfcb2fc9f3ccc2805cf2e77107b7c2

SHA1
51cd7b0c4a112dd51fbb3a5e213118c0e2621a0d

SHA256
4b18ec68c07bd31b824fcda431b27a98bbcdd3604b4e8bd0868b2b6c6dd8d11f

SHA512
355a934108debd184b71f05ef53d67840773fbadb2d2a2beffd6d4f47434d8fcc0605ce8defa57a09583143f7f6bc07881b58341fe8167775096aaa66a3ee59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
44KB

MD5
a8939febfebb028225a1ff386dd53eb1

SHA1
cebf6e5e860b141e64135b23061c818b6fdc9771

SHA256
fa16c85d14e26ba0f729c8c7e9d165c45dc3d3c7c6dc7b6c380074aa5eaf2d0c

SHA512
48bce1305bcfe5e429e8a1edf48246dc166d8bf276769cc24a8af7cce7f7a6772dc24ad5b0b993a00ed5d95121b965bff0d468725609e28dbefae4fa6430c882

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
44KB

MD5
98aa6e7bc005c5ce78968397acb465dd

SHA1
9ffd1d0df4e5f1c2c80891411247b829cf299471

SHA256
ec80bc892c5e96a9ff5eb2b1aa9ca3e4594513907c5d00619bb80fb84a33cb44

SHA512
777ccb5b6baf6f662555dab0c40123a670bbfcd4154e99619cb7ac7a6549089f1a3962e955caa4adbf969c5ae43709a8560ebf3cecd6ed01788094806b600dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
44KB

MD5
d0091e189f8a95a4dfa6343988bb54d5

SHA1
938d5b1062d20c115e7a749cd6bb022c22ac963d

SHA256
52f3b6b861b7a8d57b50ae59a32a94ec5e7e4f700ea333c1ba503bae9e91b04e

SHA512
c5819ebd17072b84e3d2df377d96e0849632e86c9e1ed57077002c7ed068547f88d1b8be9b7d63ae781d6a8847e7c85a1e5e98f07e662da741400962e0c65256

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
44KB

MD5
85159e9eda153788caefa180f612a374

SHA1
9c0f4b2ba7505e1b9cb62f82ba9205408e232a04

SHA256
551064a6cff12417ef8c2845bfe2c86c5198840ad36c02b7f45518546ff20c0b

SHA512
176748cc65602bbb4dbcf37f090810bd5c421a88e31f469663a120ee52f7f4ab61fb3904abee42b294b555385ad79920f0a643f299fc40d0c049b841d4c6c168

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
44KB

MD5
2181fdb9223135d9a4c5f94a7f0934ec

SHA1
1b914913e99e4cb0d0376e79fb540a174587e720

SHA256
dc85b5f5b1915bb047f64e7d1f61cb41f74834715169865382356603b1f6472d

SHA512
62442cee6276db9ad5f31ccbbbb2aa8a0495d3ee837dfb4f83d8235dd4148789568129c23e72a6f4a7440afb4348ea7e682e22516d665267b4c12c7a779c06d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
44KB

MD5
3f7b39e2c17f35ab4a7986aa632e9f5d

SHA1
87a1e2ec15985db8c9dab3e5de0bec3209ed933d

SHA256
0b2914bbe6dafba31b615854a8a07dc01f0a1b0a562dc4d2561d82e3be7e50ff

SHA512
077f136eb36355c4dcee272bcb5de03efa3f70326ca2856e4b4ed8735a28cfc3dec6ddddd1107b8f1e83c8477f3a99186737fb24d0848c7c894b0a16cfcffd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
44KB

MD5
fd63e687196b25f937d65baec300fef5

SHA1
ab9633e937eaa3f0c5780fb7b8d9ea1935f5e6a1

SHA256
bebe5ae980715fae41fd339fddc20885e19aa5013decf3998706b8ed5dbb4879

SHA512
7110f00a38433fe7f432312469954b80e4ca3198a360fc5604cc0c3df62b2577c013809124eae99f84f827d0984852db22489bb3bc74c4d88739640c7a5ce854

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
2b462118d8aa6b3c686472b5393c9738

SHA1
7a2cf1de9e60227614c7735100e3e58580ee8e48

SHA256
ede7d0fd13ddb2702fe993a6dd607ed1a867c026acfd77cf08f535144891ef4e

SHA512
b1bf622c499fe4fd4dc4c4e289d21051e309c57393f20eb68dde7d4dca6731523ccb5b3b4b0520e8f2909349b72efb36af5a6f1b019b5d156f82a4315e286e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
513B

MD5
5173e9e9092d4155efa2264de7d78b46

SHA1
83342b01bbad2438f4f1daeca7813f1ee01ca48e

SHA256
4cfe442148bd608a48ffdc2359e17d9393e5a2c29963154d8b3bd8da01ff2dd0

SHA512
e10f657be0f095a338fab4f4e855458ef897dec240a5dee38c0156d2084911dd20dacdc610abcb33c2db9887753e6ce0cc3b5d7286e55e11d356b9291df37071

Download Submit
memory/2068-84-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/2068-83-0x0000000000940000-0x0000000000960000-memory.dmp

Filesize
128KB

Download
memory/2068-88-0x00000000053B0000-0x00000000053FC000-memory.dmp

Filesize
304KB

Download
memory/2068-85-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/2068-87-0x0000000005360000-0x000000000539C000-memory.dmp

Filesize
240KB

Download
memory/2068-86-0x0000000005430000-0x000000000553A000-memory.dmp

Filesize
1.0MB

Download