Overview

overview

10

Static

static

10

Redlineste...in.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    1864s
  • max time network
    1877s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-12-2024 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Redlinestealer2020-main.rar

  • Size

    1.8MB

  • MD5

    a88286498006012f5b3c4b9fa8f280ad

  • SHA1

    91d75f89655f80df8a6c25c4337b44206041e960

  • SHA256

    9c90ada90c726c7a63c46db01ed5ba917312810d6da28f6063f70c3846bbbd59

  • SHA512

    d65c068d3d24c8f90ea4fccd74c59aa6ad3b1faeb8af6729753b2ca91d879d0224a5adc464849f8570142575ff4f1dadf39466861e6cfa9bf04d02e42d1307c0

  • SSDEEP

    49152:a2sbpzUtwePkQesHtqgdBDGghSijCNYYPZk3a9:lspUtwe8QeH6xhrjkoa9

Score
10/10
redlinediscoveryinfostealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Redlinestealer2020-main.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3560
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3628
    • C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe
      "C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe
        "C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe"
        2⤵
        • Executes dropped EXE
        PID:3108
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4928
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1508
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:3040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Bunifu_UI_v1.52.dll
      Filesize

      219KB

      MD5

      5eca94d909f1ba4c5f3e35ac65a49076

      SHA1

      3b9cb69510887117844464a2cc711c06f2c3bd19

      SHA256

      de0e530d46c803d85b8aeb6d18816f1b09cb3dafefb5e19fdfa15c9f41e0f474

      SHA512

      257a33c748dfb617a7e2892310132fd4abf4384fb09c93a8ac3f609fd91353a4f3e326124ecc63b6041ac87cf4fcc17a8bdca312e0c851acd9c7a182247066ea

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\GuiLib.dll
      Filesize

      50KB

      MD5

      eaf9c55793cd26f133708714ed3a5397

      SHA1

      1818aa718498f0810199eca2b91db300dc24f902

      SHA256

      87cfc70bec2d2a37bcd5d46f9e6f0051f82e015ff96e8f2bc2d81b85f2632f15

      SHA512

      b793ae1155bd7be247b42c0fc1bc53e34cf69e802c0e365427322dac4b5cc68728d24255a717aaffa774b4551a6946c17106387cff4cfdb6ce638d8a4ecab4d9

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\MetroSet UI.dll
      Filesize

      436KB

      MD5

      f13dc3cffef729d26c4da102674561cf

      SHA1

      5f9abff0bdf305e33b578c22dada5c87b2f6f39c

      SHA256

      d490c04e6e89462fd46099d3454985f319f57032176c67403b3b92c86ca58bcb

      SHA512

      aa8699c5f608a10a577cb23715f761ee28922c4778f5ea8a5ec0a184e1143689fba5a08003fd5cbf3c7dd516eac1fddc8c3f9efa1d993ba1888e87b70190c08f

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.Mdb.dll
      Filesize

      42KB

      MD5

      dc80f588f513d998a5df1ca415edb700

      SHA1

      e2f0032798129e461f0d2494ae14ea7a4f106467

      SHA256

      90cfc73befd43fc3fd876e23dcc3f5ce6e9d21d396bbb346513302e2215db8c9

      SHA512

      1b3e57fbc10f109a43e229b5010d348e2786e12ddf48a757da771c97508f8f3891be3118ff3bb84c3fd6bfa1723c670541667cdbf2d14ea63243f6def8f038cc

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.Mdb.pdb
      Filesize

      18KB

      MD5

      0ba762b6b5fbda000e51d66722a3bb2c

      SHA1

      260f9c873831096e92128162cc4dfcc5c2ba9785

      SHA256

      d18eb89421d50f079291b78783408cee4bab6810e4c5a4b191849265bdd5ba7c

      SHA512

      03496dce05c0841888802005c75d5b94ac5ca3aa88d754230b6f4619861e58c0492c814805cde104dc7071e2860ebc90a7fba402c65a0397fb519c57fca982f7

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.Pdb.dll
      Filesize

      87KB

      MD5

      6cd3ed3db95d4671b866411db4950853

      SHA1

      528b69c35a5e36cc8d747965c9e5ea0dc40323b8

      SHA256

      d67ebd49241041e6b6191703a90d89e68d4465adce02c595218b867df34581a3

      SHA512

      e8ae4caf214997cc440e684a963727934741fd616a073365fa1fc213c5ca336c12e117d7fa0d6643600a820297fc11a21e4ac3c11613fba612b90ebd5fc4c07e

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.Pdb.pdb
      Filesize

      25KB

      MD5

      8e07476db3813903e596b669d3744855

      SHA1

      964a244772ee23c31f9e79477fbccfd8ed9437e6

      SHA256

      aa6469974d04cba872f86e6598771663bb8721d43a4a0a2a44cf3e2cd2f1e646

      SHA512

      715e7f4979142a96b04f8cb2ffa4a1547cd509eb05cf73f0885de533d60fd43d0c5bba9c051871fd38d503cb61fe1a0ee24350f25d89476fbc3b794f0ff9998f

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.Rocks.dll
      Filesize

      27KB

      MD5

      c8f36848ce8f13084b355c934fc91746

      SHA1

      8f60c2fd1f6f5b5f365500b2749dca8c845f827a

      SHA256

      a08c040912df2a3c823ade85d62239d56abaa8f788a2684fb9d33961922687c7

      SHA512

      7c47f96e0e7dfaebb4dccf99fa0dda64c608634e2521798fd0d4c74eb2641c848fadad29c2cd26eb9b45acdfef791752959117a59e1f0913f9092e4662075115

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.Rocks.pdb
      Filesize

      8KB

      MD5

      17e3ccb3a96be6d93ca3c286ca3b93dc

      SHA1

      d6e2f1edc52bbef4d6d2c63c837a024d6483bbb3

      SHA256

      ca54d2395697efc3163016bbc2bb1e91b13d454b9a5a3ee9a4304012f012e5eb

      SHA512

      08c4fc7b9a7609aca8d1f7c7cd1b8c859c198d3d4e7cad012a6f9b5490afff04a330c46f3429d61e3a5570c82855deda64a0308b899f8e2f93f66ed50f7fad3b

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.dll
      Filesize

      337KB

      MD5

      7546acebc5a5213dee2a5ed18d7ebc6c

      SHA1

      b964d242c0778485322ccb3a3b7c25569c0718b7

      SHA256

      7744c9c84c28033bc3606f4dfce2adcd6f632e2be7827893c3e2257100f1cf9e

      SHA512

      30b3a001550dca88c8effc9e8107442560ee1f42e3d2f354cc2813ae9030bf872c76dc211fd12778385387be5937e9bf172ea00c151cab0bca77c8aafdd11f7d

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Mono.Cecil.pdb
      Filesize

      172KB

      MD5

      c0a69f1b0c50d4f133cd0b278ac2a531

      SHA1

      bcefbe60c18318f21ba53377a386733e9266c37d

      SHA256

      a4f79c99d8923bd6c30efafa39363c18babe95f6609bbad242bca44342ccc7bb

      SHA512

      c38b0b08e7d37f31ab4331fcc54033ec181dc399e39df602869846f53e3dc006425a81b7b08f352c5e54501e247657364dfc288085a7c1c552737d4db4f33406

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Newtonsoft.Json.dll
      Filesize

      683KB

      MD5

      6815034209687816d8cf401877ec8133

      SHA1

      1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

      SHA256

      7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

      SHA512

      3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\README.md
      Filesize

      2B

      MD5

      8cf8463b34caa8ac871a52d5dd7ad1ef

      SHA1

      a5d5b61aa8a61b7d9d765e1daf971a9a578f1cfa

      SHA256

      eb4bd64f7014f7d42e9d358035802242741b974e8dfcd37c59f9c21ce29d781e

      SHA512

      dd4f520768dafe6990081e74c73c7adff8bdde7f831aa9ea6b8de15d3ed53c7b04eaf15cb332f4ff3b55966b75612bd5c2dd5ca62139eee58470a7f5d59bb62f

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\RedLine.SharedModels.dll
      Filesize

      29KB

      MD5

      bee2969583715bfa584d073ac8d98c42

      SHA1

      37d1221ce6bb82e7ad08fd22bd13592815a23468

      SHA256

      5f92db78e43986f063632fb2cfafdce73e5e7e64979900783ca9a00016933375

      SHA512

      5c139b81a51477d8362be2bf72b9f2425d54ef67b4ad715fbe8aa11f8a57435abb7f23a7ecaee18611e559d1006c0df5dd3427b6e7c3caed38d8cffd79e4bb1c

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\System.Drawing.Pen.dll
      Filesize

      2.7MB

      MD5

      1d4e91345a76c90e0849c9389e66fe8c

      SHA1

      744393f64d9f95a987605ac14b721dbbc985901c

      SHA256

      1d820d1c1e9d661603cd32177fb128c9a6844fe2492b6fbb3120bd37553663b0

      SHA512

      e0c5fa5c9141e139d529b80058c1ff8fb252116076c57fbea106ee2500cb23d3a91b76f6348bc0bcf465acde510463352a960eefd29198f4068661342cbd28b8

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\Vestris.ResourceLib.dll
      Filesize

      76KB

      MD5

      944ce5123c94c66a50376e7b37e3a6a6

      SHA1

      a1936ac79c987a5ba47ca3d023f740401f73529b

      SHA256

      7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

      SHA512

      4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.exe
      Filesize

      11KB

      MD5

      de6f68cdf350fce9be13803d84be98c4

      SHA1

      e37ec52f68ab48344579ccbfc4d2d90d3073c808

      SHA256

      51bbc69942823b84c2a1f0efdb9d63fb04612b223e86af8a83b4b307dd15cd24

      SHA512

      0344b764dc0a615d5a0bbb24ba442bd857d69fd3b102f243dafc9a9ae8776f6ad98f9af2cf680effaa5807451e310232224264ce9fe1bbc4a5f826833705ee8a

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\builder.pdb
      Filesize

      33KB

      MD5

      418dc008ef956465e179ec29d3c3c245

      SHA1

      4960b2952c6cc8de2295f145c3a4526bf6d1a391

      SHA256

      8c7e21b37540211d56c5fdbb7e731655a96945aa83f2988e33d5adb8aa7c8df1

      SHA512

      ad386b6cf99682d117dce3a38c37f45843ac87d9ad17608453c0dfe8dd2b74c0c19c46a35da8140dc3ffc61d2333d78ab1438723cfd74aac585c39f0f59542f2

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\Libraries\protobuf-net.dll
      Filesize

      274KB

      MD5

      d16fffeb71891071c1c5d9096ba03971

      SHA1

      24c2c7a0d6c9918f037393c2a17e28a49d340df1

      SHA256

      141b235af8ebf25d5841edee29e2dcf6297b8292a869b3966c282da960cbd14d

      SHA512

      27fb5b77fcadbe7bd1af51f7f40d333cd12de65de12e67aaea4e5f6c0ac2a62ee65bdafb1dbc4e3c0a0b9a667b056c4c7d984b4eb1bf4b60d088848b2818d87a

      Download Submit

    • C:\Users\Admin\Desktop\Redlinestealer2020-main\RedLine.MainPanel-cracked.exe
      Filesize

      633KB

      MD5

      baf102927947289e4d589028620ce291

      SHA1

      5ade9a99a86e5558e5353afa7844229ed23bdcd5

      SHA256

      a6d2d1ba6765e5245b0f62e37d9298e20c913c5a33912b98bd65a76fc5ab28ae

      SHA512

      973ecb034ba18a74c85165df743d9d87168b07539c8ef1d60550171bc0a5766a10b9e6be1425aea203be45b4175694a489ea1b7837faa3b1927ca019492ccd37

      Download Submit

    • memory/3108-133-0x00000000004E0000-0x00000000004EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4984-98-0x0000000005700000-0x00000000057B0000-memory.dmp

      Filesize

      704KB

      Download

    • memory/4984-61-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4984-102-0x00000000056A0000-0x00000000056EA000-memory.dmp

      Filesize

      296KB

      Download

    • memory/4984-120-0x0000000074290000-0x0000000074A41000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-119-0x0000000005960000-0x000000000596A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4984-111-0x0000000005A60000-0x0000000005D10000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4984-93-0x00000000054E0000-0x00000000054EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4984-118-0x0000000006E90000-0x00000000074A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4984-88-0x0000000005500000-0x000000000551C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4984-117-0x0000000005890000-0x0000000005922000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4984-116-0x00000000062C0000-0x0000000006866000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4984-115-0x0000000005650000-0x000000000566A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4984-82-0x00000000054D0000-0x00000000054E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-78-0x00000000055F0000-0x000000000564A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4984-74-0x0000000005570000-0x00000000055E4000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4984-107-0x0000000005530000-0x000000000553E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4984-70-0x0000000005470000-0x0000000005482000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4984-57-0x0000000000590000-0x0000000000634000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4984-66-0x0000000005490000-0x00000000054CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4984-121-0x0000000074290000-0x0000000074A41000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-122-0x000000007429E000-0x000000007429F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4984-123-0x0000000009E70000-0x0000000009E82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4984-124-0x0000000009EE0000-0x0000000009F1C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4984-125-0x000000000A020000-0x000000000A06C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4984-126-0x000000000A6D0000-0x000000000A7DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4984-127-0x000000000A5F0000-0x000000000A618000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4984-128-0x000000000A670000-0x000000000A6C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4984-129-0x0000000074290000-0x0000000074A41000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-130-0x0000000074290000-0x0000000074A41000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-131-0x000000000A160000-0x000000000A1FC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4984-56-0x000000007429E000-0x000000007429F000-memory.dmp

      Filesize

      4KB

      Download