Analysis
-
max time kernel
885s -
max time network
438s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 18:43
General
-
Target
Redlinestealer2020-main.zip
-
Size
2.5MB
-
MD5
291c143340623d5ddd9895e3173970cf
-
SHA1
64603a6f1fa74412e91fa20688f213d13b1dff40
-
SHA256
0e486871aeddade1498c575341b53401d74af20bf4cf9103b8d1f9596d852673
-
SHA512
4a226b9ca9c86cedcb677830551207fb5e4fe54f1e0959e4dc97581c1375416934d9a61570ddc6a7fab7acce0ef8d9cb4251de69b70d8780891f4b8f109eb6c7
-
SSDEEP
49152:BZiaJLFXJVKGIub4kSAQOXJ6kVViwBE2x6eni8mZw7/8Z:BZiaJtJVKGckSUdhBE/eiXOU
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
-
Redline family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 56 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Redlinestealer2020-main.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Redlinestealer2020-main\OpenPort.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=66772⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe"C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
-
-
C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe"C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Downloads\Build.exe"C:\Users\Admin\Downloads\Build.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1944 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\Build.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 19443⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\Build.exe"C:\Users\Admin\Downloads\Build.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 1492 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\Build.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 14923⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD572fba49d22b760ff58bc0ee0ae1fd46b
SHA14d04aa7ee3c0cbaf79d32c7d06ad624c3729741c
SHA256c67d0d183c72bf9302bb2bb424d0414bf8992d94503f469138bf7f5bbbe27b08
SHA5124c0cbf8917bbf7b47a5e02995eb6bd98deca8e51715834ff7a9afa8980e5900ce34bf4fff75e6522e6e08b9dcfaf79ec3c53b4a58f71fe6882820c994188838f
-
Filesize
219KB
MD55eca94d909f1ba4c5f3e35ac65a49076
SHA13b9cb69510887117844464a2cc711c06f2c3bd19
SHA256de0e530d46c803d85b8aeb6d18816f1b09cb3dafefb5e19fdfa15c9f41e0f474
SHA512257a33c748dfb617a7e2892310132fd4abf4384fb09c93a8ac3f609fd91353a4f3e326124ecc63b6041ac87cf4fcc17a8bdca312e0c851acd9c7a182247066ea
-
Filesize
50KB
MD5eaf9c55793cd26f133708714ed3a5397
SHA11818aa718498f0810199eca2b91db300dc24f902
SHA25687cfc70bec2d2a37bcd5d46f9e6f0051f82e015ff96e8f2bc2d81b85f2632f15
SHA512b793ae1155bd7be247b42c0fc1bc53e34cf69e802c0e365427322dac4b5cc68728d24255a717aaffa774b4551a6946c17106387cff4cfdb6ce638d8a4ecab4d9
-
Filesize
436KB
MD5f13dc3cffef729d26c4da102674561cf
SHA15f9abff0bdf305e33b578c22dada5c87b2f6f39c
SHA256d490c04e6e89462fd46099d3454985f319f57032176c67403b3b92c86ca58bcb
SHA512aa8699c5f608a10a577cb23715f761ee28922c4778f5ea8a5ec0a184e1143689fba5a08003fd5cbf3c7dd516eac1fddc8c3f9efa1d993ba1888e87b70190c08f
-
Filesize
42KB
MD5dc80f588f513d998a5df1ca415edb700
SHA1e2f0032798129e461f0d2494ae14ea7a4f106467
SHA25690cfc73befd43fc3fd876e23dcc3f5ce6e9d21d396bbb346513302e2215db8c9
SHA5121b3e57fbc10f109a43e229b5010d348e2786e12ddf48a757da771c97508f8f3891be3118ff3bb84c3fd6bfa1723c670541667cdbf2d14ea63243f6def8f038cc
-
Filesize
18KB
MD50ba762b6b5fbda000e51d66722a3bb2c
SHA1260f9c873831096e92128162cc4dfcc5c2ba9785
SHA256d18eb89421d50f079291b78783408cee4bab6810e4c5a4b191849265bdd5ba7c
SHA51203496dce05c0841888802005c75d5b94ac5ca3aa88d754230b6f4619861e58c0492c814805cde104dc7071e2860ebc90a7fba402c65a0397fb519c57fca982f7
-
Filesize
87KB
MD56cd3ed3db95d4671b866411db4950853
SHA1528b69c35a5e36cc8d747965c9e5ea0dc40323b8
SHA256d67ebd49241041e6b6191703a90d89e68d4465adce02c595218b867df34581a3
SHA512e8ae4caf214997cc440e684a963727934741fd616a073365fa1fc213c5ca336c12e117d7fa0d6643600a820297fc11a21e4ac3c11613fba612b90ebd5fc4c07e
-
Filesize
25KB
MD58e07476db3813903e596b669d3744855
SHA1964a244772ee23c31f9e79477fbccfd8ed9437e6
SHA256aa6469974d04cba872f86e6598771663bb8721d43a4a0a2a44cf3e2cd2f1e646
SHA512715e7f4979142a96b04f8cb2ffa4a1547cd509eb05cf73f0885de533d60fd43d0c5bba9c051871fd38d503cb61fe1a0ee24350f25d89476fbc3b794f0ff9998f
-
Filesize
27KB
MD5c8f36848ce8f13084b355c934fc91746
SHA18f60c2fd1f6f5b5f365500b2749dca8c845f827a
SHA256a08c040912df2a3c823ade85d62239d56abaa8f788a2684fb9d33961922687c7
SHA5127c47f96e0e7dfaebb4dccf99fa0dda64c608634e2521798fd0d4c74eb2641c848fadad29c2cd26eb9b45acdfef791752959117a59e1f0913f9092e4662075115
-
Filesize
8KB
MD517e3ccb3a96be6d93ca3c286ca3b93dc
SHA1d6e2f1edc52bbef4d6d2c63c837a024d6483bbb3
SHA256ca54d2395697efc3163016bbc2bb1e91b13d454b9a5a3ee9a4304012f012e5eb
SHA51208c4fc7b9a7609aca8d1f7c7cd1b8c859c198d3d4e7cad012a6f9b5490afff04a330c46f3429d61e3a5570c82855deda64a0308b899f8e2f93f66ed50f7fad3b
-
Filesize
337KB
MD57546acebc5a5213dee2a5ed18d7ebc6c
SHA1b964d242c0778485322ccb3a3b7c25569c0718b7
SHA2567744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e
SHA51230b3a001550dca88c8effc9e8107442560ee1f42e3d2f354cc2813ae9030bf872c76dc211fd12778385387be5937e9bf172ea00c151cab0bca77c8aafdd11f7d
-
Filesize
172KB
MD5c0a69f1b0c50d4f133cd0b278ac2a531
SHA1bcefbe60c18318f21ba53377a386733e9266c37d
SHA256a4f79c99d8923bd6c30efafa39363c18babe95f6609bbad242bca44342ccc7bb
SHA512c38b0b08e7d37f31ab4331fcc54033ec181dc399e39df602869846f53e3dc006425a81b7b08f352c5e54501e247657364dfc288085a7c1c552737d4db4f33406
-
Filesize
683KB
MD56815034209687816d8cf401877ec8133
SHA11248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA2567f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA5123398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
-
Filesize
2B
MD58cf8463b34caa8ac871a52d5dd7ad1ef
SHA1a5d5b61aa8a61b7d9d765e1daf971a9a578f1cfa
SHA256eb4bd64f7014f7d42e9d358035802242741b974e8dfcd37c59f9c21ce29d781e
SHA512dd4f520768dafe6990081e74c73c7adff8bdde7f831aa9ea6b8de15d3ed53c7b04eaf15cb332f4ff3b55966b75612bd5c2dd5ca62139eee58470a7f5d59bb62f
-
Filesize
29KB
MD5bee2969583715bfa584d073ac8d98c42
SHA137d1221ce6bb82e7ad08fd22bd13592815a23468
SHA2565f92db78e43986f063632fb2cfafdce73e5e7e64979900783ca9a00016933375
SHA5125c139b81a51477d8362be2bf72b9f2425d54ef67b4ad715fbe8aa11f8a57435abb7f23a7ecaee18611e559d1006c0df5dd3427b6e7c3caed38d8cffd79e4bb1c
-
Filesize
2.7MB
MD51d4e91345a76c90e0849c9389e66fe8c
SHA1744393f64d9f95a987605ac14b721dbbc985901c
SHA2561d820d1c1e9d661603cd32177fb128c9a6844fe2492b6fbb3120bd37553663b0
SHA512e0c5fa5c9141e139d529b80058c1ff8fb252116076c57fbea106ee2500cb23d3a91b76f6348bc0bcf465acde510463352a960eefd29198f4068661342cbd28b8
-
Filesize
76KB
MD5944ce5123c94c66a50376e7b37e3a6a6
SHA1a1936ac79c987a5ba47ca3d023f740401f73529b
SHA2567da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
SHA5124c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b
-
Filesize
11KB
MD5de6f68cdf350fce9be13803d84be98c4
SHA1e37ec52f68ab48344579ccbfc4d2d90d3073c808
SHA25651bbc69942823b84c2a1f0efdb9d63fb04612b223e86af8a83b4b307dd15cd24
SHA5120344b764dc0a615d5a0bbb24ba442bd857d69fd3b102f243dafc9a9ae8776f6ad98f9af2cf680effaa5807451e310232224264ce9fe1bbc4a5f826833705ee8a
-
Filesize
33KB
MD5418dc008ef956465e179ec29d3c3c245
SHA14960b2952c6cc8de2295f145c3a4526bf6d1a391
SHA2568c7e21b37540211d56c5fdbb7e731655a96945aa83f2988e33d5adb8aa7c8df1
SHA512ad386b6cf99682d117dce3a38c37f45843ac87d9ad17608453c0dfe8dd2b74c0c19c46a35da8140dc3ffc61d2333d78ab1438723cfd74aac585c39f0f59542f2
-
Filesize
274KB
MD5d16fffeb71891071c1c5d9096ba03971
SHA124c2c7a0d6c9918f037393c2a17e28a49d340df1
SHA256141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d
SHA51227fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a
-
Filesize
141KB
MD59c44ce0cc507f539a3b6aa9c3671f092
SHA18f2ff23438e4e3e4c19537e90688f21cbe189908
SHA2567b6c6588d3bddb06a0efbbf237cf501c027dac8bd2b82c6835e0a2c8bdfae842
SHA512d0496f88e659961cd29359e15002e32550e00897ab8c4cd7079ad928582b70ef82a0d110378cca8a8404cc3e14f7769cd68a925686a577a726101bc04d633ce3
-
Filesize
94B
MD5cf1cc90281e28cee22dce7ed013c2678
SHA12f213a71b76db3e51ad2d659f84dc1f3f90725fb
SHA25684399f8bccefa404e156a5351b1de75a2d5290b4fddd1754efb16401ed7218ef
SHA5122b61c1da7cc66506537719cedab82f172d2ac1af4df69513ba64507a5ed67989974f81791faf08c5855580df53f564600381be34c340b825f1f01919948921e1
-
Filesize
633KB
MD5baf102927947289e4d589028620ce291
SHA15ade9a99a86e5558e5353afa7844229ed23bdcd5
SHA256a6d2d1ba6765e5245b0f62e37d9298e20c913c5a33912b98bd65a76fc5ab28ae
SHA512973ecb034ba18a74c85165df743d9d87168b07539c8ef1d60550171bc0a5766a10b9e6be1425aea203be45b4175694a489ea1b7837faa3b1927ca019492ccd37
-
Filesize
360KB
-
Filesize
168KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
2.7MB
-
Filesize
704KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
360KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
248KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
296KB
-
Filesize
464KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1.0MB
-
Filesize
160KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
656KB
-
Filesize
6.1MB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
40KB