redline | 06d0ec937e36ab2c995ee8fda4ea3299dcd5764c31ed4d6248f12d7d709e11a0

General

Target

Netflix Checker v0.2.2.exe
Size

1.3MB
MD5

a4327898c6814b4c3abfff706d1190a1
SHA1

e77787afb0ef28c577f133c5df3afa6f6235d83f
SHA256

06d0ec937e36ab2c995ee8fda4ea3299dcd5764c31ed4d6248f12d7d709e11a0
SHA512

f211a015cfddee4ad2eb68221ae277368f7d2091d4ffe450ca3c3c9ed0b6ea6f44a57b9e8918a2f9ed89018748858eb150138df7a36462aa9e9cf1688220c852
SSDEEP

6144:dwjTEJu+ax2jFVQ4KjaklytOkRiJhtO07OCtO:dwjIJuDx2HQ4QgiJ3

Score

10^/10

redline diamotrix discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

C2

176.111.174.140:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000173fc-35.dat	family_redline
behavioral1/memory/2548-37-0x00000000012E0000-0x0000000001332000-memory.dmp	family_redline

Redline family
redline
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2300	sysappec.exe
2596	Netflix Checker.exe
2548	23A7.tmp.x.exe

Loads dropped DLL 2 IoCs

pid	Process
780	Netflix Checker v0.2.2.exe
780	Netflix Checker v0.2.2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\F761AE1969052312027626\\F761AE1969052312027626.exe"	sysappec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23A7.tmp.x.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2300	sysappec.exe
1208	Explorer.EXE
2548	23A7.tmp.x.exe
2548	23A7.tmp.x.exe
2548	23A7.tmp.x.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2300	sysappec.exe
Token: SeSecurityPrivilege	2300	sysappec.exe
Token: SeTakeOwnershipPrivilege	2300	sysappec.exe
Token: SeLoadDriverPrivilege	2300	sysappec.exe
Token: SeSystemProfilePrivilege	2300	sysappec.exe
Token: SeSystemtimePrivilege	2300	sysappec.exe
Token: SeProfSingleProcessPrivilege	2300	sysappec.exe
Token: SeIncBasePriorityPrivilege	2300	sysappec.exe
Token: SeCreatePagefilePrivilege	2300	sysappec.exe
Token: SeBackupPrivilege	2300	sysappec.exe
Token: SeRestorePrivilege	2300	sysappec.exe
Token: SeShutdownPrivilege	2300	sysappec.exe
Token: SeDebugPrivilege	2300	sysappec.exe
Token: SeSystemEnvironmentPrivilege	2300	sysappec.exe
Token: SeRemoteShutdownPrivilege	2300	sysappec.exe
Token: SeUndockPrivilege	2300	sysappec.exe
Token: SeManageVolumePrivilege	2300	sysappec.exe
Token: 33	2300	sysappec.exe
Token: 34	2300	sysappec.exe
Token: 35	2300	sysappec.exe
Token: SeDebugPrivilege	2300	sysappec.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	2548	23A7.tmp.x.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2300	780	Netflix Checker v0.2.2.exe	31
PID 780 wrote to memory of 2300	780	Netflix Checker v0.2.2.exe	31
PID 780 wrote to memory of 2300	780	Netflix Checker v0.2.2.exe	31
PID 780 wrote to memory of 2596	780	Netflix Checker v0.2.2.exe	32
PID 780 wrote to memory of 2596	780	Netflix Checker v0.2.2.exe	32
PID 780 wrote to memory of 2596	780	Netflix Checker v0.2.2.exe	32
PID 2300 wrote to memory of 1208	2300	sysappec.exe	21
PID 1208 wrote to memory of 2548	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2548	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2548	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2548	1208	Explorer.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\Netflix Checker v0.2.2.exe
  "C:\Users\Admin\AppData\Local\Temp\Netflix Checker v0.2.2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Roaming\sysappec.exe
    "C:\Users\Admin\AppData\Roaming\sysappec.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\Netflix Checker.exe
    "Netflix Checker.exe"
    3⤵
    - Executes dropped EXE
    PID:2596
- C:\Users\Admin\AppData\Local\Temp\23A7.tmp.x.exe
  "C:\Users\Admin\AppData\Local\Temp\23A7.tmp.x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23A7.tmp.x.exe

Filesize
300KB

MD5
97eb7baa28471ec31e5373fcd7b8c880

SHA1
397efcd2fae0589e9e29fc2153ffb18a86a9b709

SHA256
9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb

SHA512
323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\Netflix Checker.exe

Filesize
751KB

MD5
c281afd76e71557e53a1b90a42a30c0f

SHA1
4531733877d48ccef6d63c8834776dfb9d2c412d

SHA256
6fd0cfcb7c15612d415a89901bffd3187792056c963ceba586a1359b0aa88971

SHA512
3c25bd4b72190144fcd419048a1fdeb2adb0d44e53673268b73d3056151fb53a7b7072e5ea8f072b39ca3132ca02b3e328c65a8eb4370c323b11743cc17144bf

Download Submit
\Users\Admin\AppData\Roaming\sysappec.exe

Filesize
25KB

MD5
b99a85f8ca740de99e7be9e48ec3b583

SHA1
957f9e3118643940e34890ef93331853583278bf

SHA256
9e3cd0ec2efeaf37b93aa63c995ebbe8bc5c57fc91a693e8d82ab2e6066e07f3

SHA512
38fafc87cc391092b9d05faf4d81eb3b2ca4cb618fba75165b12a4a620945de69ed4faa2e042e0a8d166d399dd9f71095da887293f9ff5bc80e2d6845e0998e1

Download Submit
memory/1208-29-0x0000000004210000-0x0000000004262000-memory.dmp

Filesize
328KB

Download
memory/1208-22-0x0000000002ED0000-0x0000000002F14000-memory.dmp

Filesize
272KB

Download
memory/1208-21-0x0000000002ED0000-0x0000000002F14000-memory.dmp

Filesize
272KB

Download
memory/1208-24-0x0000000004210000-0x0000000004262000-memory.dmp

Filesize
328KB

Download
memory/1208-32-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2548-37-0x00000000012E0000-0x0000000001332000-memory.dmp

Filesize
328KB

Download
memory/2596-20-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-27-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-28-0x000000001AAE0000-0x000000001AB60000-memory.dmp

Filesize
512KB

Download
memory/2596-26-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/2596-25-0x000000001AAE0000-0x000000001AB60000-memory.dmp

Filesize
512KB

Download
memory/2596-19-0x00000000011A0000-0x0000000001262000-memory.dmp

Filesize
776KB

Download
memory/2596-18-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads