redline | 6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe
Size

2.3MB
MD5

ef27e969469ade98137d810ca31a60dc
SHA1

00d08d991aee935072d5cc79bc248939506330ed
SHA256

6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24
SHA512

aafa058119477e47056daa5f2caa18416a3115af377d622efac3d9ccde0733ecbd867edd93a613f093d61604762ba69cdf39d818db71fead6b4ca8c0c8a4e8d7
SSDEEP

49152:tvBbeWBERUqMwkHH+TtVrDH6MLPA5pvBbeWBERUqMwkHH+7:tvohRUdeTTHL4rvohRUde7

Score

10^/10

redline 816fa discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

816FA

88.99.151.68:7200

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3624-33-0x0000000000F50000-0x0000000000FA2000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	Community.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2684	tasklist.exe
1816	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Community.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4040	schtasks.exe
1384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif
1160	Community.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	tasklist.exe
Token: SeDebugPrivilege	1816	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1160	Community.pif
1160	Community.pif
1160	Community.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1160	Community.pif
1160	Community.pif
1160	Community.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 3020	780	6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe	85
PID 780 wrote to memory of 3020	780	6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe	85
PID 780 wrote to memory of 3020	780	6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe	85
PID 3020 wrote to memory of 2684	3020	cmd.exe	87
PID 3020 wrote to memory of 2684	3020	cmd.exe	87
PID 3020 wrote to memory of 2684	3020	cmd.exe	87
PID 3020 wrote to memory of 2632	3020	cmd.exe	88
PID 3020 wrote to memory of 2632	3020	cmd.exe	88
PID 3020 wrote to memory of 2632	3020	cmd.exe	88
PID 3020 wrote to memory of 1816	3020	cmd.exe	90
PID 3020 wrote to memory of 1816	3020	cmd.exe	90
PID 3020 wrote to memory of 1816	3020	cmd.exe	90
PID 3020 wrote to memory of 3864	3020	cmd.exe	91
PID 3020 wrote to memory of 3864	3020	cmd.exe	91
PID 3020 wrote to memory of 3864	3020	cmd.exe	91
PID 3020 wrote to memory of 4880	3020	cmd.exe	92
PID 3020 wrote to memory of 4880	3020	cmd.exe	92
PID 3020 wrote to memory of 4880	3020	cmd.exe	92
PID 3020 wrote to memory of 720	3020	cmd.exe	93
PID 3020 wrote to memory of 720	3020	cmd.exe	93
PID 3020 wrote to memory of 720	3020	cmd.exe	93
PID 3020 wrote to memory of 3932	3020	cmd.exe	94
PID 3020 wrote to memory of 3932	3020	cmd.exe	94
PID 3020 wrote to memory of 3932	3020	cmd.exe	94
PID 3020 wrote to memory of 1160	3020	cmd.exe	95
PID 3020 wrote to memory of 1160	3020	cmd.exe	95
PID 3020 wrote to memory of 1160	3020	cmd.exe	95
PID 3020 wrote to memory of 3720	3020	cmd.exe	96
PID 3020 wrote to memory of 3720	3020	cmd.exe	96
PID 3020 wrote to memory of 3720	3020	cmd.exe	96
PID 1160 wrote to memory of 4744	1160	Community.pif	98
PID 1160 wrote to memory of 4744	1160	Community.pif	98
PID 1160 wrote to memory of 4744	1160	Community.pif	98
PID 1160 wrote to memory of 4040	1160	Community.pif	100
PID 1160 wrote to memory of 4040	1160	Community.pif	100
PID 1160 wrote to memory of 4040	1160	Community.pif	100
PID 4744 wrote to memory of 1384	4744	cmd.exe	103
PID 4744 wrote to memory of 1384	4744	cmd.exe	103
PID 4744 wrote to memory of 1384	4744	cmd.exe	103
PID 1160 wrote to memory of 3624	1160	Community.pif	111
PID 1160 wrote to memory of 3624	1160	Community.pif	111
PID 1160 wrote to memory of 3624	1160	Community.pif	111
PID 1160 wrote to memory of 3624	1160	Community.pif	111
PID 1160 wrote to memory of 3624	1160	Community.pif	111

C:\Users\Admin\AppData\Local\Temp\6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe
"C:\Users\Admin\AppData\Local\Temp\6fad31465beaf0eafb53717fd5a9d0fa000e8b7d7716d9cf2b5646a54cf8db24.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Cassette Cassette.cmd & Cassette.cmd & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 177479
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "FoolBurkeRetainedWait" Drop
    3⤵
    - System Location Discovery: System Language Discovery
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Tracked + ..\Luggage + ..\Prime + ..\Involved + ..\Fluid + ..\Newport + ..\Rod + ..\Society s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932
- - C:\Users\Admin\AppData\Local\Temp\177479\Community.pif
    Community.pif s
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Capable" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /create /tn "SkyPilot" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkyNav Technologies\SkyPilot.js'" /sc onlogon /F /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3624
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 15
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\177479\Community.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\177479\s

Filesize
550KB

MD5
2b13a9489351b8c1d7fea05188c2355c

SHA1
c22a5d57303bc2887f1439e695d6d537ca32cb03

SHA256
2dec1a0fd2bc8d3e538484d0c8914fbf3306ee9bec35afeabf9cee4104e1df8d

SHA512
2424ccb73856d97248047521c24009c1ba619d30784fcde64c7ba30d06efa577f91bc26450cb2cbf560849f57ce58619a6474bd7e3ec3d03236dbdd303ccbde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cassette

Filesize
6KB

MD5
4f0abd6588c8c75164b32182d57064d0

SHA1
ca56a2a18f885325af7a9608fd37bdcfd9928f60

SHA256
cd27421f2758e883e53d498e3fafba2b519688c1f482489d51ad75a4fbff3b5f

SHA512
57267ee995b563840ee8d1b29e194b037bf39cc4cd9acf33beb9ce8a43137eaf70405139558e789453ffbcceae176f08cbae653a4635f97358cf5c6c0582f8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drop

Filesize
241B

MD5
3b1ee79ec6fe9dfb3629ab806fe1b2d6

SHA1
d3005fed3fcd45b8242a5c72ac9e96f87b72f6b9

SHA256
73bdf5cf3e6b23be2ad017516c63467578798c5c9b92923ac5a85fad74687505

SHA512
b1973db9bab3b551aaf741bfe1cf04ee2e65a7987b89a3027f4a048af0e1d9c14bb5dfe179cb5e9c06adb9fcf64d3c3b5ba0b6e6af5cf62c56e5bf1603468a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluid

Filesize
77KB

MD5
3c7d5da72c368a40bcfd258a8728aec6

SHA1
47bf8b740677c22b6f33128c3e67095cda710ef0

SHA256
ee0d0d10a8e626b9ba71378297dc13dd0cc1f5814d505524be75a9b4cbf2e703

SHA512
4cecccac58b6b2102c30a21da722fcfa9a075619c015fb6e5405bf9caa116993d765490609837e8003f49ce4bf06c96c488ddbe99151dbb7b2b243b9f5944c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Involved

Filesize
92KB

MD5
8ec3ecfac9a939428d32f07837ca00ef

SHA1
9229486c66f359f92d5f704e1a67caa9aedb7523

SHA256
b32582f214374b6358e389038419f16912a4812fb139492677870b7cbd0fa00e

SHA512
8410ecbb278801a1ef44d8599f68a7f5928bb7f3cfcecdbe57898ffb897d9b8ac1b4020e3502a359782a13d6200bb228afd3164da29a1cde89491218401e1f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luggage

Filesize
59KB

MD5
85b7d2edb777e816b0597df78af14cb1

SHA1
361bf29d1b667029e3c7e421dc9d60fc6c7e12be

SHA256
73b17516142e6f26d6eec9da8e1700268175cfacb62303fb8b3ea073afa035c5

SHA512
045e0dc2b5b480ca521264dd951c9fe9aed70d7ece51bb97e1d9acb83f6a9bfeb06e41ec67d886e204b01777728546c49352bd0b492784a0f3b0476cffd5b654

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newport

Filesize
81KB

MD5
3848c192447fcf1281796dd46e8449cc

SHA1
c727acea27cc04c246f4f9d502625f017f7b1300

SHA256
f261f507e779e7ec2b5580e7ebcc48024253f02b4478bad30020080c68241a9b

SHA512
5152966433a7bfe11d9738990fcd45b57ece95c99284cde0bfd3fc096265a6334bf4e2d274e3ddc08132eb9839805775e4a1bf95fe37b11225c5eb98048d3394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prime

Filesize
58KB

MD5
025e06b944d66cceccd594a71a7f6a84

SHA1
c32ef76e8ee6df6b9d47774c9c7664738d74d486

SHA256
a93408df366ea9bb432d6ee58b995b829193acad7790b4e2c7714aa4cf7676bb

SHA512
fc00bf517ae1ed8eff491cec8c6f600e3ff87463be928d04c273dcc81e3ebe2db56c1a134f55ef9726e74f042d518bea0f93607077ee2568e756e58f0854d22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rod

Filesize
78KB

MD5
807b5fb1b7d75a5b808e1c97911fdcc3

SHA1
bc12b9f63b3beb8b7f64b61f5245a0afa073593c

SHA256
2933796e3bee9cea7fcce9a06adc6260b02a1b6e2822e631d1a8cbe3c9948ede

SHA512
691b7b4b9245f7ea107c86053270cfa14788b7e67748152289c4c4368ad77850dda57a29be6d2f673cd29d1ef55bace2614166e5217a4a22d8a45a455583774c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Society

Filesize
32KB

MD5
00ebb35a9981daf9dbfc5c9e05ab93eb

SHA1
00cb1d8643b336f926a39528a73a1a27ee9f1be3

SHA256
169770a72d10369cc74decc8f5b9730f533772675021d17b66f62b9180f40aea

SHA512
1c3a54257e12bc56900b095738fc46d3b5c8fa2cab2d20e309115286e5d6959c8be7176ed07171f90994062fbfbb72a2a57cae654954eb4cf86adbc134df2345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Strikes

Filesize
872KB

MD5
4fe6d24625898f968f3ab23d7d0ad336

SHA1
bb9d475da747f9bb506607d8c2a0282c629691a1

SHA256
f1de84e03842252e12584bb031466ddc3070291fdac398ca0f8d000421d34311

SHA512
681f4b955605423cf91fc191b602d7d69eea123a96c9b78f43e62b34b343825316a70269da4f5c805462f26e538e456670b5e2f2f36c55a76b6d19b51bc37d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDA81.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tracked

Filesize
73KB

MD5
21c97d86182d75bcaa3d2fc8bba1ff72

SHA1
3b22e3f9eeb685d2ce6ecf97f317ce69d6ac3976

SHA256
7f946ec102576eaadf519bed523deec5fe92a69ae849711f446c23b4ae36e886

SHA512
964e8c09f41687d2ac09fea914a0e1ce5ec6615295d8eca5de7d8a94920783c5d7e314949c6f926bef831407421f3e29c6d417433539713f8c2e1ec26b53102f

Download Submit
memory/3624-34-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/3624-35-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/3624-36-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/3624-33-0x0000000000F50000-0x0000000000FA2000-memory.dmp

Filesize
328KB

Download
memory/3624-53-0x0000000006350000-0x00000000063C6000-memory.dmp

Filesize
472KB

Download
memory/3624-54-0x0000000006C70000-0x0000000006C8E000-memory.dmp

Filesize
120KB

Download
memory/3624-57-0x00000000072B0000-0x00000000078C8000-memory.dmp

Filesize
6.1MB

Download
memory/3624-58-0x0000000006E00000-0x0000000006F0A000-memory.dmp

Filesize
1.0MB

Download
memory/3624-59-0x0000000006D40000-0x0000000006D52000-memory.dmp

Filesize
72KB

Download
memory/3624-60-0x0000000006DA0000-0x0000000006DDC000-memory.dmp

Filesize
240KB

Download
memory/3624-61-0x0000000006F10000-0x0000000006F5C000-memory.dmp

Filesize
304KB

Download