redline | b275923761c65cf5ed348b36508d1369d59f1fe4cd471acbd995b7c16df27cb9

Analysis

max time kernel
138s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe
Size

2.3MB
MD5

72919bf5ac55f584c67da2004287e124
SHA1

97d545f94fbac0bb6458ec0a1dcedcf969f7cf93
SHA256

b275923761c65cf5ed348b36508d1369d59f1fe4cd471acbd995b7c16df27cb9
SHA512

cdc82826777156b258d8642375088e7fe46b807ba59793b082129cded2f0f76427f64de74421db82c9ebac1568a692dd361176f5c5bca65f1d1af0d2b4f16c5d
SSDEEP

49152:H5+hFHxq1JcJ05gwY7xnXst4sQWKh+BH8gjlPh4Tcaxiz8lVHTIioOFZQ+v:H5aFRqxl6hyHHa+BH1jngcaxiqZ7v

Score

10^/10

redline @normhhd discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@normhhd

62.182.156.24:12780

Attributes

auth_value
bb67ccc49d44343128ca161d7fe51029

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195c6-96.dat	family_redline
behavioral1/memory/1640-99-0x0000000000E80000-0x0000000000EA0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 12 IoCs

pid	Process
2660	7z.exe
1780	7z.exe
2756	7z.exe
2008	7z.exe
1928	7z.exe
1820	7z.exe
3044	7z.exe
2496	7z.exe
700	7z.exe
2736	7z.exe
544	7z.exe
1640	@normhhd.exe

Loads dropped DLL 22 IoCs

pid	Process
2796	cmd.exe
2660	7z.exe
2796	cmd.exe
1780	7z.exe
2796	cmd.exe
2756	7z.exe
2796	cmd.exe
2008	7z.exe
2796	cmd.exe
1928	7z.exe
2796	cmd.exe
1820	7z.exe
2796	cmd.exe
3044	7z.exe
2796	cmd.exe
2496	7z.exe
2796	cmd.exe
700	7z.exe
2796	cmd.exe
2736	7z.exe
2796	cmd.exe
544	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@normhhd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1640	@normhhd.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	2660	7z.exe
Token: 35	2660	7z.exe
Token: SeSecurityPrivilege	2660	7z.exe
Token: SeSecurityPrivilege	2660	7z.exe
Token: SeRestorePrivilege	1780	7z.exe
Token: 35	1780	7z.exe
Token: SeSecurityPrivilege	1780	7z.exe
Token: SeSecurityPrivilege	1780	7z.exe
Token: SeRestorePrivilege	2756	7z.exe
Token: 35	2756	7z.exe
Token: SeSecurityPrivilege	2756	7z.exe
Token: SeSecurityPrivilege	2756	7z.exe
Token: SeRestorePrivilege	2008	7z.exe
Token: 35	2008	7z.exe
Token: SeSecurityPrivilege	2008	7z.exe
Token: SeSecurityPrivilege	2008	7z.exe
Token: SeRestorePrivilege	1928	7z.exe
Token: 35	1928	7z.exe
Token: SeSecurityPrivilege	1928	7z.exe
Token: SeSecurityPrivilege	1928	7z.exe
Token: SeRestorePrivilege	1820	7z.exe
Token: 35	1820	7z.exe
Token: SeSecurityPrivilege	1820	7z.exe
Token: SeSecurityPrivilege	1820	7z.exe
Token: SeRestorePrivilege	3044	7z.exe
Token: 35	3044	7z.exe
Token: SeSecurityPrivilege	3044	7z.exe
Token: SeSecurityPrivilege	3044	7z.exe
Token: SeRestorePrivilege	2496	7z.exe
Token: 35	2496	7z.exe
Token: SeSecurityPrivilege	2496	7z.exe
Token: SeSecurityPrivilege	2496	7z.exe
Token: SeRestorePrivilege	700	7z.exe
Token: 35	700	7z.exe
Token: SeSecurityPrivilege	700	7z.exe
Token: SeSecurityPrivilege	700	7z.exe
Token: SeRestorePrivilege	2736	7z.exe
Token: 35	2736	7z.exe
Token: SeSecurityPrivilege	2736	7z.exe
Token: SeSecurityPrivilege	2736	7z.exe
Token: SeRestorePrivilege	544	7z.exe
Token: 35	544	7z.exe
Token: SeSecurityPrivilege	544	7z.exe
Token: SeSecurityPrivilege	544	7z.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2796	2848	JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe	30
PID 2848 wrote to memory of 2796	2848	JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe	30
PID 2848 wrote to memory of 2796	2848	JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe	30
PID 2848 wrote to memory of 2796	2848	JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe	30
PID 2796 wrote to memory of 2220	2796	cmd.exe	32
PID 2796 wrote to memory of 2220	2796	cmd.exe	32
PID 2796 wrote to memory of 2220	2796	cmd.exe	32
PID 2796 wrote to memory of 2660	2796	cmd.exe	33
PID 2796 wrote to memory of 2660	2796	cmd.exe	33
PID 2796 wrote to memory of 2660	2796	cmd.exe	33
PID 2796 wrote to memory of 1780	2796	cmd.exe	34
PID 2796 wrote to memory of 1780	2796	cmd.exe	34
PID 2796 wrote to memory of 1780	2796	cmd.exe	34
PID 2796 wrote to memory of 2756	2796	cmd.exe	35
PID 2796 wrote to memory of 2756	2796	cmd.exe	35
PID 2796 wrote to memory of 2756	2796	cmd.exe	35
PID 2796 wrote to memory of 2008	2796	cmd.exe	36
PID 2796 wrote to memory of 2008	2796	cmd.exe	36
PID 2796 wrote to memory of 2008	2796	cmd.exe	36
PID 2796 wrote to memory of 1928	2796	cmd.exe	37
PID 2796 wrote to memory of 1928	2796	cmd.exe	37
PID 2796 wrote to memory of 1928	2796	cmd.exe	37
PID 2796 wrote to memory of 1820	2796	cmd.exe	38
PID 2796 wrote to memory of 1820	2796	cmd.exe	38
PID 2796 wrote to memory of 1820	2796	cmd.exe	38
PID 2796 wrote to memory of 3044	2796	cmd.exe	39
PID 2796 wrote to memory of 3044	2796	cmd.exe	39
PID 2796 wrote to memory of 3044	2796	cmd.exe	39
PID 2796 wrote to memory of 2496	2796	cmd.exe	40
PID 2796 wrote to memory of 2496	2796	cmd.exe	40
PID 2796 wrote to memory of 2496	2796	cmd.exe	40
PID 2796 wrote to memory of 700	2796	cmd.exe	41
PID 2796 wrote to memory of 700	2796	cmd.exe	41
PID 2796 wrote to memory of 700	2796	cmd.exe	41
PID 2796 wrote to memory of 2736	2796	cmd.exe	42
PID 2796 wrote to memory of 2736	2796	cmd.exe	42
PID 2796 wrote to memory of 2736	2796	cmd.exe	42
PID 2796 wrote to memory of 544	2796	cmd.exe	43
PID 2796 wrote to memory of 544	2796	cmd.exe	43
PID 2796 wrote to memory of 544	2796	cmd.exe	43
PID 2796 wrote to memory of 2036	2796	cmd.exe	44
PID 2796 wrote to memory of 2036	2796	cmd.exe	44
PID 2796 wrote to memory of 2036	2796	cmd.exe	44
PID 2796 wrote to memory of 1640	2796	cmd.exe	45
PID 2796 wrote to memory of 1640	2796	cmd.exe	45
PID 2796 wrote to memory of 1640	2796	cmd.exe	45
PID 2796 wrote to memory of 1640	2796	cmd.exe	45

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72919bf5ac55f584c67da2004287e124.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p___________4167pwd23162pwd24256pwd3899pwd21523pwd6183pwd5060___________ -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\system32\attrib.exe
    attrib +H "@normhhd.exe"
    3⤵
    - Views/modifies file attributes
    PID:2036
- - C:\Users\Admin\AppData\Local\Temp\main\@normhhd.exe
    "@normhhd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\@normhhd.exe

Filesize
104KB

MD5
d62aa042df33a547e8285b3ecd32ecd2

SHA1
1f0b1039b8ac46c445d74fad6d072a73129ff740

SHA256
6e7b7247eb14418b43d9ac257e3b1600e428c66010ddfc6f34f51c5b0b86a6a4

SHA512
0de47d94bd894518d695e955eb8a4917c867ecc8732613e688989dd1e38294152398fb7d5300e67f46620c5509530d91c4b4ab238b19b07085cb5f87534b3930

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
5e2fb08e59b7efe2bd28f55206cb9daf

SHA1
f906c3263aa09bc6a57b76032ad4f72b75944c02

SHA256
9df4a6b489ff097789f275822f7a7d63606c254db3af4ecb1ed143e64f18a2c3

SHA512
e107d5e29f8a1bde0a38180a31185f8d6f39aa12e47622330fdecb0a7635cfa7da1ce053840dbe99062c61339c94b1126bea9b973e51a7ba76d27e9ab622a196

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
43KB

MD5
0a27e7638db4cec0b87ceaae07dfb208

SHA1
536af2de69ac9a03e1e10b3b8ac044be4ff72a22

SHA256
e4da2a07234c1a916865f67584d9204bd52a8c9aa7720cb4875f059d1c799edf

SHA512
e16361c467aabb8885c14d88d1c762634ea31e55766714fa5f3d46f9ae2838a804b4729e58cc2905c83ea1aff1ae278eb0a02c6bfbc3f2e907de80364c430d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
1.6MB

MD5
c5e94de79269bc96d05151025867592f

SHA1
089d3b402f0a477bf527268763c189e4c4d2f6aa

SHA256
cb3cacd0dfd5785f9c5d594cc2ba75216b9d0e786cfca39e72bd5f62311a5d08

SHA512
5f3801af1659afea30003ba411db86e93d21f77638047fb2968e3b5e895520096bbb614cec8b01489e3a2c9ca59690f780abc3e1d0b6a69796f3601436f64545

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
43KB

MD5
14dfcb2fc9f3ccc2805cf2e77107b7c2

SHA1
51cd7b0c4a112dd51fbb3a5e213118c0e2621a0d

SHA256
4b18ec68c07bd31b824fcda431b27a98bbcdd3604b4e8bd0868b2b6c6dd8d11f

SHA512
355a934108debd184b71f05ef53d67840773fbadb2d2a2beffd6d4f47434d8fcc0605ce8defa57a09583143f7f6bc07881b58341fe8167775096aaa66a3ee59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
44KB

MD5
a8939febfebb028225a1ff386dd53eb1

SHA1
cebf6e5e860b141e64135b23061c818b6fdc9771

SHA256
fa16c85d14e26ba0f729c8c7e9d165c45dc3d3c7c6dc7b6c380074aa5eaf2d0c

SHA512
48bce1305bcfe5e429e8a1edf48246dc166d8bf276769cc24a8af7cce7f7a6772dc24ad5b0b993a00ed5d95121b965bff0d468725609e28dbefae4fa6430c882

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
44KB

MD5
98aa6e7bc005c5ce78968397acb465dd

SHA1
9ffd1d0df4e5f1c2c80891411247b829cf299471

SHA256
ec80bc892c5e96a9ff5eb2b1aa9ca3e4594513907c5d00619bb80fb84a33cb44

SHA512
777ccb5b6baf6f662555dab0c40123a670bbfcd4154e99619cb7ac7a6549089f1a3962e955caa4adbf969c5ae43709a8560ebf3cecd6ed01788094806b600dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
44KB

MD5
d0091e189f8a95a4dfa6343988bb54d5

SHA1
938d5b1062d20c115e7a749cd6bb022c22ac963d

SHA256
52f3b6b861b7a8d57b50ae59a32a94ec5e7e4f700ea333c1ba503bae9e91b04e

SHA512
c5819ebd17072b84e3d2df377d96e0849632e86c9e1ed57077002c7ed068547f88d1b8be9b7d63ae781d6a8847e7c85a1e5e98f07e662da741400962e0c65256

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
44KB

MD5
85159e9eda153788caefa180f612a374

SHA1
9c0f4b2ba7505e1b9cb62f82ba9205408e232a04

SHA256
551064a6cff12417ef8c2845bfe2c86c5198840ad36c02b7f45518546ff20c0b

SHA512
176748cc65602bbb4dbcf37f090810bd5c421a88e31f469663a120ee52f7f4ab61fb3904abee42b294b555385ad79920f0a643f299fc40d0c049b841d4c6c168

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
44KB

MD5
2181fdb9223135d9a4c5f94a7f0934ec

SHA1
1b914913e99e4cb0d0376e79fb540a174587e720

SHA256
dc85b5f5b1915bb047f64e7d1f61cb41f74834715169865382356603b1f6472d

SHA512
62442cee6276db9ad5f31ccbbbb2aa8a0495d3ee837dfb4f83d8235dd4148789568129c23e72a6f4a7440afb4348ea7e682e22516d665267b4c12c7a779c06d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
44KB

MD5
3f7b39e2c17f35ab4a7986aa632e9f5d

SHA1
87a1e2ec15985db8c9dab3e5de0bec3209ed933d

SHA256
0b2914bbe6dafba31b615854a8a07dc01f0a1b0a562dc4d2561d82e3be7e50ff

SHA512
077f136eb36355c4dcee272bcb5de03efa3f70326ca2856e4b4ed8735a28cfc3dec6ddddd1107b8f1e83c8477f3a99186737fb24d0848c7c894b0a16cfcffd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
44KB

MD5
fd63e687196b25f937d65baec300fef5

SHA1
ab9633e937eaa3f0c5780fb7b8d9ea1935f5e6a1

SHA256
bebe5ae980715fae41fd339fddc20885e19aa5013decf3998706b8ed5dbb4879

SHA512
7110f00a38433fe7f432312469954b80e4ca3198a360fc5604cc0c3df62b2577c013809124eae99f84f827d0984852db22489bb3bc74c4d88739640c7a5ce854

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
2b462118d8aa6b3c686472b5393c9738

SHA1
7a2cf1de9e60227614c7735100e3e58580ee8e48

SHA256
ede7d0fd13ddb2702fe993a6dd607ed1a867c026acfd77cf08f535144891ef4e

SHA512
b1bf622c499fe4fd4dc4c4e289d21051e309c57393f20eb68dde7d4dca6731523ccb5b3b4b0520e8f2909349b72efb36af5a6f1b019b5d156f82a4315e286e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
513B

MD5
5173e9e9092d4155efa2264de7d78b46

SHA1
83342b01bbad2438f4f1daeca7813f1ee01ca48e

SHA256
4cfe442148bd608a48ffdc2359e17d9393e5a2c29963154d8b3bd8da01ff2dd0

SHA512
e10f657be0f095a338fab4f4e855458ef897dec240a5dee38c0156d2084911dd20dacdc610abcb33c2db9887753e6ce0cc3b5d7286e55e11d356b9291df37071

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1640-99-0x0000000000E80000-0x0000000000EA0000-memory.dmp

Filesize
128KB

Download