redline | 9e3f93ae0a1f76351b69714917b3f1cd965b09e2e696964b28d693c14f71f007

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2593da293c10bebca0895f0636e56689.exe
Size

2.3MB
MD5

2593da293c10bebca0895f0636e56689
SHA1

27201a2d876de5c1fc1b735f0f671398ebc6f2a5
SHA256

9e3f93ae0a1f76351b69714917b3f1cd965b09e2e696964b28d693c14f71f007
SHA512

fa6d250297cf381d5181a81d8efe319cc2f278383e992d98e72823dd37498cd8d04e43e6c8830995f2d8908e09cc2bcd8d1762cf9a2245f5387b2f317f74c469
SSDEEP

49152:u5+hFCrwa4SLwi/MfjOPwm5hIarqMYASJmcmUDLh6ZuWxjwMGxiz8lVHTIioOFZT:u5aFiwc0YwjOPHZ3cm2oZuojexiqZ7H

Score

10^/10

redline @kissyt discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@kissyt

62.182.156.24:12780

Attributes

auth_value
bb67ccc49d44343128ca161d7fe51029

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195ff-96.dat	family_redline
behavioral1/memory/2076-99-0x0000000001150000-0x0000000001170000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 12 IoCs

pid	Process
2436	7z.exe
2876	7z.exe
2760	7z.exe
2932	7z.exe
2872	7z.exe
2748	7z.exe
2652	7z.exe
336	7z.exe
2676	7z.exe
1712	7z.exe
1800	7z.exe
2076	bild.exe

Loads dropped DLL 22 IoCs

pid	Process
2072	cmd.exe
2436	7z.exe
2072	cmd.exe
2876	7z.exe
2072	cmd.exe
2760	7z.exe
2072	cmd.exe
2932	7z.exe
2072	cmd.exe
2872	7z.exe
2072	cmd.exe
2748	7z.exe
2072	cmd.exe
2652	7z.exe
2072	cmd.exe
336	7z.exe
2072	cmd.exe
2676	7z.exe
2072	cmd.exe
1712	7z.exe
2072	cmd.exe
1800	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2593da293c10bebca0895f0636e56689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bild.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2076	bild.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	2436	7z.exe
Token: 35	2436	7z.exe
Token: SeSecurityPrivilege	2436	7z.exe
Token: SeSecurityPrivilege	2436	7z.exe
Token: SeRestorePrivilege	2876	7z.exe
Token: 35	2876	7z.exe
Token: SeSecurityPrivilege	2876	7z.exe
Token: SeSecurityPrivilege	2876	7z.exe
Token: SeRestorePrivilege	2760	7z.exe
Token: 35	2760	7z.exe
Token: SeSecurityPrivilege	2760	7z.exe
Token: SeSecurityPrivilege	2760	7z.exe
Token: SeRestorePrivilege	2932	7z.exe
Token: 35	2932	7z.exe
Token: SeSecurityPrivilege	2932	7z.exe
Token: SeSecurityPrivilege	2932	7z.exe
Token: SeRestorePrivilege	2872	7z.exe
Token: 35	2872	7z.exe
Token: SeSecurityPrivilege	2872	7z.exe
Token: SeSecurityPrivilege	2872	7z.exe
Token: SeRestorePrivilege	2748	7z.exe
Token: 35	2748	7z.exe
Token: SeSecurityPrivilege	2748	7z.exe
Token: SeSecurityPrivilege	2748	7z.exe
Token: SeRestorePrivilege	2652	7z.exe
Token: 35	2652	7z.exe
Token: SeSecurityPrivilege	2652	7z.exe
Token: SeSecurityPrivilege	2652	7z.exe
Token: SeRestorePrivilege	336	7z.exe
Token: 35	336	7z.exe
Token: SeSecurityPrivilege	336	7z.exe
Token: SeSecurityPrivilege	336	7z.exe
Token: SeRestorePrivilege	2676	7z.exe
Token: 35	2676	7z.exe
Token: SeSecurityPrivilege	2676	7z.exe
Token: SeSecurityPrivilege	2676	7z.exe
Token: SeRestorePrivilege	1712	7z.exe
Token: 35	1712	7z.exe
Token: SeSecurityPrivilege	1712	7z.exe
Token: SeSecurityPrivilege	1712	7z.exe
Token: SeRestorePrivilege	1800	7z.exe
Token: 35	1800	7z.exe
Token: SeSecurityPrivilege	1800	7z.exe
Token: SeSecurityPrivilege	1800	7z.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2072	1956	JaffaCakes118_2593da293c10bebca0895f0636e56689.exe	31
PID 1956 wrote to memory of 2072	1956	JaffaCakes118_2593da293c10bebca0895f0636e56689.exe	31
PID 1956 wrote to memory of 2072	1956	JaffaCakes118_2593da293c10bebca0895f0636e56689.exe	31
PID 1956 wrote to memory of 2072	1956	JaffaCakes118_2593da293c10bebca0895f0636e56689.exe	31
PID 2072 wrote to memory of 1580	2072	cmd.exe	33
PID 2072 wrote to memory of 1580	2072	cmd.exe	33
PID 2072 wrote to memory of 1580	2072	cmd.exe	33
PID 2072 wrote to memory of 2436	2072	cmd.exe	34
PID 2072 wrote to memory of 2436	2072	cmd.exe	34
PID 2072 wrote to memory of 2436	2072	cmd.exe	34
PID 2072 wrote to memory of 2876	2072	cmd.exe	35
PID 2072 wrote to memory of 2876	2072	cmd.exe	35
PID 2072 wrote to memory of 2876	2072	cmd.exe	35
PID 2072 wrote to memory of 2760	2072	cmd.exe	36
PID 2072 wrote to memory of 2760	2072	cmd.exe	36
PID 2072 wrote to memory of 2760	2072	cmd.exe	36
PID 2072 wrote to memory of 2932	2072	cmd.exe	37
PID 2072 wrote to memory of 2932	2072	cmd.exe	37
PID 2072 wrote to memory of 2932	2072	cmd.exe	37
PID 2072 wrote to memory of 2872	2072	cmd.exe	38
PID 2072 wrote to memory of 2872	2072	cmd.exe	38
PID 2072 wrote to memory of 2872	2072	cmd.exe	38
PID 2072 wrote to memory of 2748	2072	cmd.exe	39
PID 2072 wrote to memory of 2748	2072	cmd.exe	39
PID 2072 wrote to memory of 2748	2072	cmd.exe	39
PID 2072 wrote to memory of 2652	2072	cmd.exe	40
PID 2072 wrote to memory of 2652	2072	cmd.exe	40
PID 2072 wrote to memory of 2652	2072	cmd.exe	40
PID 2072 wrote to memory of 336	2072	cmd.exe	41
PID 2072 wrote to memory of 336	2072	cmd.exe	41
PID 2072 wrote to memory of 336	2072	cmd.exe	41
PID 2072 wrote to memory of 2676	2072	cmd.exe	42
PID 2072 wrote to memory of 2676	2072	cmd.exe	42
PID 2072 wrote to memory of 2676	2072	cmd.exe	42
PID 2072 wrote to memory of 1712	2072	cmd.exe	43
PID 2072 wrote to memory of 1712	2072	cmd.exe	43
PID 2072 wrote to memory of 1712	2072	cmd.exe	43
PID 2072 wrote to memory of 1800	2072	cmd.exe	44
PID 2072 wrote to memory of 1800	2072	cmd.exe	44
PID 2072 wrote to memory of 1800	2072	cmd.exe	44
PID 2072 wrote to memory of 1288	2072	cmd.exe	45
PID 2072 wrote to memory of 1288	2072	cmd.exe	45
PID 2072 wrote to memory of 1288	2072	cmd.exe	45
PID 2072 wrote to memory of 2076	2072	cmd.exe	46
PID 2072 wrote to memory of 2076	2072	cmd.exe	46
PID 2072 wrote to memory of 2076	2072	cmd.exe	46
PID 2072 wrote to memory of 2076	2072	cmd.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1288	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2593da293c10bebca0895f0636e56689.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2593da293c10bebca0895f0636e56689.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________29783pwd19393pwd12772pwd8909pwd27852pwd25744pwd14383___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\system32\attrib.exe
    attrib +H "bild.exe"
    3⤵
    - Views/modifies file attributes
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\main\bild.exe
    "bild.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
b14ec742af218c5e8103c238945b46ba

SHA1
2fa1b3bf322359750b106e66b7829ea76e029fb6

SHA256
c41be9cfd72d0004d68d11beabb25c7c09e5a7c81f49c2004094dfdc681e7889

SHA512
fd20d7dcdecbcb2a185c73f248f9c4090d0def62ddda6bcf2f8e891d73faae3ddc4287575dd2bafdf2dc9bb8203ba465883a7d0ca226b22c86e6cc9b12acbf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\bild.exe

Filesize
104KB

MD5
e34a55a90ff2c71809d41b65cd7817f9

SHA1
b93d259f4918264ee7b46a17a5736a59149e6f5f

SHA256
ccf645ccd85d91b6a9a01044d72ac8879da021416113a74bb7588e17b06fcd7b

SHA512
c101e63333fa364f53835c476f8a299b95da0b6a21673d005bee715c6c3cb66dd3982607ce7b31cb3744c8b1def1d020839ef654ddc82999d25db1c0acedf00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
43KB

MD5
ca18bf83bff029b2ce2729c56fd14199

SHA1
20249ffe4843d6f925a3a1c6177b9dfeba72d376

SHA256
248c00ddcfe789719baac113396e992f00d1757e13b34fadff464a6fb5f22c06

SHA512
784b67937cd133aba86e1e8bce7a70cafcba4acd294f51fc3d428b6fb4e1c2f12fb84322e3aeecc8e1830fb136873ee29f37b809a9e757c1630a05cb733c6b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
1.6MB

MD5
8ddef9c49e170a324f348c9eff284966

SHA1
d68d0e0ba0bde529d0c079b9d4c681f57b3b29d2

SHA256
80113ad4ad151d9725b2deb0c3ac59a984c97803d58217304320bc30fbb341d4

SHA512
85d89dc98a9548092ff6a576757f4a7d5d6381a1f74291a342dc8bc6195b7e29a5ca12b7f3a10eb2b6efc5269d5e54d3aa8cb7124c539bfcd035451643bb9508

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
43KB

MD5
df419191fd93a9bbc5cd1d4bd3b2614f

SHA1
d974478d3a2583697b359de6947ea747032daec1

SHA256
51a148a77ea6524b71af2febb51a07b872c35fe8feb915f9270e45e5c277150b

SHA512
0420423016ee1c8e202a9a4825cc9cf99206fa82517f78612dbd02f6118ceae7805a8cebdfd520ae08e4872295f63d2b0cc9d47feca8e04c63db1cd79c803995

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
44KB

MD5
b4ab662b21302e8eb0308aaf9b661036

SHA1
7e0d1de1070410a24c1df82b1fa26074c5d12185

SHA256
c333e92b6459f2ad2e940c331414c99a8d5103dd0bf8fa2541c24de6f31540c7

SHA512
beeb6edd8752bbb889afba7d915a213709c3408f7741c7e0925ca4db71b44036d0d2589813f42355ec77651e4c1701b9f86915921b0367b42ecdf9619979ce34

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
44KB

MD5
dd49bf0ebd5df0401177739a932f9d6e

SHA1
7ead8be5fc5aa2cdcb03981a89de8ba4b8099db9

SHA256
ddc18c1d846c84ae6df2b7480ec4df0995d338187c1046fd1ff9b49478e1851f

SHA512
befb16ccc817d899b056512c1effe2b757b3b7a9e6afdeea6d7cb594c45a290ea1cf2e8402aa7582d5bb98d48ee02b841aed7f4d39640f67eb62b4c674f3cb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
44KB

MD5
e7483b41fbfe506f26f1a504b618e819

SHA1
8ff4c76318765ff3f484f02e8a43c8da3fb548f3

SHA256
e01d5e70df82f5725e23d4bc1f4fc460d4482191843bd3ce18d22d655d8be8ce

SHA512
358eecef7a4f3443100c83e1eb671218e625e730ef59a6007a750de9e82f85548e29e6bc1e9b50128a23300fe62f88a38e4e7f72defa1ad9515a870a7202ed4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
44KB

MD5
3982673f62b6fbbe38c91245bc412f86

SHA1
6499e8a235610f8c796051815c643d6ff342bfec

SHA256
857bfc0873ec950f4b94ec05a880b1f8320a37b364ce58fe915e9576d045bcfe

SHA512
3b814381cce232ba27f0d76337b0f63e32cdc0229c0be18e45ae007a41a1798a50963caff7beb6893bdf058a20dcc232ec09d54b041cd090fde2c2dc46f026fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
44KB

MD5
c66ad08af96bd54e50f40fab02994c45

SHA1
002ce5ad7a410e5f7dbc739a7d95e274756ffc67

SHA256
b71250b48d62e797af001d858f5fd4ce233590837e6edcceee5baa985b5b2d84

SHA512
422eb98f889591ebf6edc1934c7b43f3901868ad1149cf9356726b988183ea1e3b853f852c269edf54d765dff11072509560ad352e44293790dea4e842796179

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
44KB

MD5
a2afcde35ffc208876cc8d05a977a2a9

SHA1
e51bd3eadfaf232fa9ead6d2f3bc3c00a96089c6

SHA256
7e44a5eb7a9a33b90468a7df349a18c97a743308e386c3e81d0a4a7e8f88c6e5

SHA512
8e70df438b6c8e1d7d417f8e8747aa59c980f79a235fb8a0dff1aa8a027fe183625af7fd29aa7f3f80d165fee690a77cb1076bb21e8507ccf1578173ea70a1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
44KB

MD5
65f2772b6505d45a2db6ac742652d8c6

SHA1
c13fac816c1dc4637a9b61438c023e1c6ed80637

SHA256
b2d4c236439cb879130c4d8458790ea1890d26557ad74a0991c9bfbe8b12a392

SHA512
724592163279627c0856e2d2065c338a4f49296e6ee88959af05cfc7709726322a1dc59ac64d6299df41b68ca908a51d71dbdc62e0a74b43eb6fd35ce2a157c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
04f549f38286af52578374a1c2074b89

SHA1
dfce157fe1b58dbed9855412b857ba66aed605f4

SHA256
7c1eeac03e9218dab57e658fceaf920769f9987fe0dd550aa0a4673715c4a449

SHA512
76be6fcdb720096259091c8cacbc3bacd33bc256c1a2455a4cdace85b7e6f689fbb5ef4a2d980a4b7035df0efa6181830633405907c913fb2ddbecbd78276d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
496B

MD5
56d6975d2d7a9a569611d984a9ff2edc

SHA1
a596f2563ac7a5adcf98a24cc24b468cbd5b1f3f

SHA256
274858c65dcdea186e7b3ce7848f10a39e400462fdff4d57e304fd87f0a4de29

SHA512
158d7aff224143713995aab34dc1f6538bfde4360c4fab6487924adf11ccc54631ca0c57b8d4a8181518d8f5fdd22af70d161dd6863d578a2f51db822ad67379

Download Submit
memory/2076-99-0x0000000001150000-0x0000000001170000-memory.dmp

Filesize
128KB

Download