redline | f6570c9d8216762973f6858e03fa7c19292fbe6429ed76220e0639344fb58e7b

General

Target

Tool.zip
Size

52.0MB
MD5

7cedd43892780c0a717738c28b0033d9
SHA1

8a9f801abb6d16bc60406c13ffc11f98ba54e367
SHA256

f6570c9d8216762973f6858e03fa7c19292fbe6429ed76220e0639344fb58e7b
SHA512

b4fe46794572ec33db150f4a4e3c5a21edacaeaee17c6a053ff5384221dcfcde87c9a8bd8c0412bdbea1f4ff2614cfb05cf9e67859d60fc3fe51d14111d66dd1
SSDEEP

786432:ZT69PiQJVg2Sqpq+dU+x8GRFo8d2Ye4iPj3j8Sw7G2gE+jWONh1CriDc0pRP0Zlh:ZTsEqcMTBd1uc7pgEyNKF+h0ZCmt

Score

10^/10

redline newprivatestub discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

NewPrivateStub

C2

51.195.206.227:38719

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1312-889-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 1 IoCs

pid	Process
3868	Tool.exe

Loads dropped DLL 1 IoCs

pid	Process
3868	Tool.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3868 set thread context of 1312	3868	Tool.exe	97

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1008	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1008	7zFM.exe
Token: 35	1008	7zFM.exe
Token: SeSecurityPrivilege	1008	7zFM.exe
Token: SeDebugPrivilege	3868	Tool.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1008	7zFM.exe
1008	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97
PID 3868 wrote to memory of 1312	3868	Tool.exe	97

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Tool.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2940

C:\Users\Admin\Desktop\Cracking Tool\Tool.exe
"C:\Users\Admin\Desktop\Cracking Tool\Tool.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Cracking Tool\ImagingBase.dll

Filesize
297KB

MD5
3b3c1f578d245297f6bad3167e55b888

SHA1
9c8beafdf0f75bc8d670e99bd57a61b228db3384

SHA256
dba0b91ee32ee57dce1f9c40cc44efb1b2a63cb3e4b99dd05c4aab992984435b

SHA512
d9daee8e5b4bfb45c7b946215ff97eb926a2d297c7aad4bd07c982d608e74dd9494a143ae4c84501ae372c70404e78cbbd49f1abeb269f149bd1ef91019ca4c9

Download Submit
C:\Users\Admin\Desktop\Cracking Tool\ImagingFlags.dll

Filesize
288B

MD5
71bc5315852312429b866fe0e9ed8ccd

SHA1
5793b58e22fb99279ea9e80dfe03d283a0b464ff

SHA256
e176a57ba727f71e40c19af9956e7e9bb24b12d179552ca3109db3333886c2de

SHA512
a3974c8ba4cf8498158d60de8fcf3859edbee320a00d3edc4fbaf4655b099b0ab83bb921e08566e31a0ae7c43e9b7a099dc03c534b4076a65a5a2ffd4ded39e8

Download Submit
C:\Users\Admin\Desktop\Cracking Tool\Tool.exe

Filesize
2.5MB

MD5
4d7e397e97d759700ff3d0f2ed5e7192

SHA1
b59053909d84ed942c864a683888701ede42caed

SHA256
b4d3bc33f79cea60a3908517408f24d9937a9a3416e36526a1465e7bf91d5f34

SHA512
70258a68abaec07393127b696b1959cb743429b002a378661fd86eb6d6e46b62ee5254097d2bd113ac751191c5099088bd332d3934a5d76531326e256a092966

Download Submit
C:\Users\Admin\Desktop\Cracking Tool\mpclient.dll

Filesize
1.9MB

MD5
7628a545a7259ae2b1df905b96c806c8

SHA1
d13a93c027c4938d8970d33b5e0f333016be2915

SHA256
47c00c3c9305b07ecf3f6a96c2cd0c728ee6ffdc431a242bae108071a00764d3

SHA512
8978cd4c6e27d07430e33f4a9c7a1a653247972e1f571a7699b43b84cbd4bc4f072196a24049ada576b3b63e3b9443d2f81b0d896761071f9f1e7d53c6df947f

Download Submit
memory/1312-892-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/1312-891-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/1312-889-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1312-893-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/1312-894-0x0000000006200000-0x0000000006818000-memory.dmp

Filesize
6.1MB

Download
memory/1312-895-0x0000000005370000-0x000000000547A000-memory.dmp

Filesize
1.0MB

Download
memory/1312-896-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1312-897-0x00000000052A0000-0x00000000052DC000-memory.dmp

Filesize
240KB

Download
memory/1312-898-0x00000000052F0000-0x000000000533C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing