redline | f7770ac3c808e534e9e780d4a9646563f417ee799a1215149eff400a2fcd7abc

Analysis

max time kernel
132s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe
Size

2.3MB
MD5

24408c8137e564fcadf907d03059b9ae
SHA1

2f94d3f3f6b0ee2a74c2fc950fd3eec1eb779ba6
SHA256

f7770ac3c808e534e9e780d4a9646563f417ee799a1215149eff400a2fcd7abc
SHA512

67dd363f28653a51d5b0c0e6890b1aa09dc4db414b0a7bfcced7af35bcee7159d2f33c5bbec9d6315bd77be8b2fda61d6e37e461c030adc716060ec5ba692a38
SSDEEP

49152:z5+hFvSlBgZTf8PTHf5Xy2plOqzOmF/pUqa/98faZxiz8lVHTIioOFZQ+R:z5aFvKYTiRt0qNF/pUlCmxiqZ7R

Score

10^/10

redline @addicatedd discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@addicatedd

62.182.156.24:12780

Attributes

auth_value
bb67ccc49d44343128ca161d7fe51029

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019284-54.dat	family_redline
behavioral1/memory/2764-57-0x0000000000A30000-0x0000000000A4E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
2920	7z.exe
2924	7z.exe
1932	7z.exe
2716	7z.exe
2828	7z.exe
2764	@addicatedd.exe

Loads dropped DLL 10 IoCs

pid	Process
2572	cmd.exe
2920	7z.exe
2572	cmd.exe
2924	7z.exe
2572	cmd.exe
1932	7z.exe
2572	cmd.exe
2716	7z.exe
2572	cmd.exe
2828	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@addicatedd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2764	@addicatedd.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	2920	7z.exe
Token: 35	2920	7z.exe
Token: SeSecurityPrivilege	2920	7z.exe
Token: SeSecurityPrivilege	2920	7z.exe
Token: SeRestorePrivilege	2924	7z.exe
Token: 35	2924	7z.exe
Token: SeSecurityPrivilege	2924	7z.exe
Token: SeSecurityPrivilege	2924	7z.exe
Token: SeRestorePrivilege	1932	7z.exe
Token: 35	1932	7z.exe
Token: SeSecurityPrivilege	1932	7z.exe
Token: SeSecurityPrivilege	1932	7z.exe
Token: SeRestorePrivilege	2716	7z.exe
Token: 35	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeSecurityPrivilege	2716	7z.exe
Token: SeRestorePrivilege	2828	7z.exe
Token: 35	2828	7z.exe
Token: SeSecurityPrivilege	2828	7z.exe
Token: SeSecurityPrivilege	2828	7z.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2572	2100	JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe	30
PID 2100 wrote to memory of 2572	2100	JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe	30
PID 2100 wrote to memory of 2572	2100	JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe	30
PID 2100 wrote to memory of 2572	2100	JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe	30
PID 2572 wrote to memory of 2796	2572	cmd.exe	32
PID 2572 wrote to memory of 2796	2572	cmd.exe	32
PID 2572 wrote to memory of 2796	2572	cmd.exe	32
PID 2572 wrote to memory of 2920	2572	cmd.exe	33
PID 2572 wrote to memory of 2920	2572	cmd.exe	33
PID 2572 wrote to memory of 2920	2572	cmd.exe	33
PID 2572 wrote to memory of 2924	2572	cmd.exe	34
PID 2572 wrote to memory of 2924	2572	cmd.exe	34
PID 2572 wrote to memory of 2924	2572	cmd.exe	34
PID 2572 wrote to memory of 1932	2572	cmd.exe	35
PID 2572 wrote to memory of 1932	2572	cmd.exe	35
PID 2572 wrote to memory of 1932	2572	cmd.exe	35
PID 2572 wrote to memory of 2716	2572	cmd.exe	36
PID 2572 wrote to memory of 2716	2572	cmd.exe	36
PID 2572 wrote to memory of 2716	2572	cmd.exe	36
PID 2572 wrote to memory of 2828	2572	cmd.exe	37
PID 2572 wrote to memory of 2828	2572	cmd.exe	37
PID 2572 wrote to memory of 2828	2572	cmd.exe	37
PID 2572 wrote to memory of 2732	2572	cmd.exe	38
PID 2572 wrote to memory of 2732	2572	cmd.exe	38
PID 2572 wrote to memory of 2732	2572	cmd.exe	38
PID 2572 wrote to memory of 2764	2572	cmd.exe	39
PID 2572 wrote to memory of 2764	2572	cmd.exe	39
PID 2572 wrote to memory of 2764	2572	cmd.exe	39
PID 2572 wrote to memory of 2764	2572	cmd.exe	39

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_24408c8137e564fcadf907d03059b9ae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________23122pwd21060pwd19019pwd5588pwd24268pwd28121___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\attrib.exe
    attrib +H "@addicatedd.exe"
    3⤵
    - Views/modifies file attributes
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\main\@addicatedd.exe
    "@addicatedd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\@addicatedd.exe

Filesize
102KB

MD5
4d8f7f835e2f8856049b1c4941943075

SHA1
8eef99e3164872b912967405009072e377d27a01

SHA256
81ea3ada2e2b9436589d9758eb2263483d175e36e6d4f113986ee3f479e36225

SHA512
30f8b0b489d1ae0546f61ad2d638a1097da1d577bf1dd711d3be0e5a635aff90b9f8477abf047c595807c3657020e88e2fd585fa5d5b533209df9644a8dea34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
8f13899fbb84235bd2dea4f37bf1580b

SHA1
e9ba48d997a1416a38c0564c25cb19e2ca3a7883

SHA256
7067653312f4e4b849668613f60d99f17077e66c7a97a5b9a0ec117f5e3a0dc8

SHA512
b7f82d96e91e748759fe4ca9c088cb656882368b830f42d9f8bc23592b01de2875ad8dfb7f8ffa105def80b77ce7dd0018e22a6981eed2474d1a3e8bf95c0d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
42KB

MD5
05c63dfd710d9da7266e1aad1c7cc12d

SHA1
33af49900ebefd27063757c8b69435076629eaf5

SHA256
370f118fd4a78972d3752a9ab4a65a9cdb5716d58f1351385c5ddd5b4fa75ea1

SHA512
804b474ff7fd09725697fbd854d0871d02aaf50f0da17d6b574aaf4adc0bb2e655004e177ec9dcbea6c438dd19c312976fc694b34c61f64c0ecc8eac5b64876c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
42KB

MD5
85a38f869000247abf4fd593651e8a4d

SHA1
517f0fa4908aeb013726967037b5451302819821

SHA256
2196f64b52cd1f5e238d05ac1a7ebac2f6452a8cae7e71c772f6a101ab2a428a

SHA512
203640fba22d3f404265f130516c557e82d2e112128aae70ded577c0fa55d970821b9e0374c71b40c52189f8374adce01943e2d17ca972eaea89c280cc000a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
43KB

MD5
53d1594972b3358c223a9af6731888f4

SHA1
2a376b302bf7d73d64c5248433c98263af852549

SHA256
a40b1f08ddf7da357384cf138f3a8bdf9abd49090717ef0f886172e998d34645

SHA512
3a1a170237d9c128acc8302b9e5bd0686ccc29082431aa076cf8225a795376b29d38455b301ba00b3f29318eb2e7151e59c37d07552ec2da07ccb40b2e5c4e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.6MB

MD5
f10a53036bf93a007492aad260c32636

SHA1
42a80df0347e82cf724c2bc7c6469720510bc50b

SHA256
16270f6e8b24254d68442bbb8debca43ce40a330f2428cf61ecf09633fec33e7

SHA512
0ab8a21466ee6f19be82a8ddc402fc924a02a8d9ce7ea360fc2dfc380357b359754a6538d8b05686c53d53b3a7d3b73cb6f17d9d1ad34226d2a8204ac9a406bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
d48a49db7f8cc07ee0e49682bd1c5ddf

SHA1
f4719a6f43291fdcb2d1f2655a9f9c22e0d865a3

SHA256
fd2a0424b09c299f01641a131d37fded08d279d1ad5bd0bca142c802ae455f3f

SHA512
2d7d51890f2314845bb418e5fd16f92445d1900f5ffc00f126eb3691c3d7c87b2c5a8a7f6f3b74f0db7dc257ecdd858216512318733f72ea6607521ec330a053

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
522B

MD5
954efe92030bade8830bb48a391a0107

SHA1
db7c0a6b57c6f5e4965413c4e3af51400e48f865

SHA256
042e3acbc7b707cbfe152ac5b92b7077bb41880eb6185aa2f8034f834d48c53b

SHA512
b3d3683296e5a354d32312ecfcfca5b9b22d7e7d0f3190de4589f965c5a8fd04b93edfdd15c90377496045dca0456f3f236e581271805863d5ee58361592ff66

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2764-57-0x0000000000A30000-0x0000000000A4E000-memory.dmp

Filesize
120KB

Download