redline | 0966b8fa44d66718e1e97ea0deb405d742b88e8cc35bec9408e5206c82940866

Resubmissions

11-01-2025 16:56

250111-vf1pmstpey 10

11-01-2025 16:49

250111-vbzxjstngs 10

Analysis

max time kernel
72s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

300KB
MD5

c681779d066264777f4dfc8002e2d851
SHA1

9f5d446d8ff6042992b01f143e98781446bda8c8
SHA256

0966b8fa44d66718e1e97ea0deb405d742b88e8cc35bec9408e5206c82940866
SHA512

a7ec8c52738dcba598749430b0c373095f2cb56766afc1f238d86ea89973ff1f4f3fc64f85fc7351353e08ea4bf75e435f5e5fcc724df346e54294269fcf6763
SSDEEP

3072:ecZqf7D341p/0+mAKky4iSQIgl+B1fA0PuTVAtkxzs3RweqiOL2bBOA:ecZqf7DIvnSR8B1fA0GTV8kGQL

Score

10^/10

redline sv0st discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

SV0ST

mbaper-28496.portmap.host:2420

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1868-1-0x00000000004F0000-0x0000000000542000-memory.dmp	family_redline

Redline family
redline

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ConvertFromMerge.tif

Filesize
755KB

MD5
ab6d192d158a9284a5b594d70823ead2

SHA1
356fb906c16e4c476d2a6a3cbe4e0cf84f46cb87

SHA256
4fc87b9868b7dafdbb231594d7c3f4f17736facd4c140627c4c2dac151ebc880

SHA512
0c96cec2d52fa5f0e8d8de6db0d5ed10cd75232571909597214e3bbe3e2269a53571371a37d2cc050e312de08f98dddec14d121213a5ae4c6646f89236952aa7

Download Submit
C:\Users\Admin\Desktop\CopyUnregister.xlt

Filesize
453KB

MD5
18a1496e86eff4f491f7bd217230578e

SHA1
67df78698ac0e2a6a7979b87d890a308fa0d15a8

SHA256
a444b3a881d1570a06a88358d14da73113a1f7d31fbb4ebd080ad541ba54b6ad

SHA512
34148a85475a62093f7d2cc65c61ac835acb0da1d4286adae038aab1df1695bfa448b6d4e09596b6ad869c174d6905d5758e082db7b1a65d3d5e05f4a9bf1609

Download Submit
C:\Users\Admin\Desktop\DisconnectSubmit.ini

Filesize
876KB

MD5
dccfbaae35ea27546aa119f1eb25dc4d

SHA1
6264185dc48b5fc617f25dd41a8677f2dab0e325

SHA256
0b952b6fe694af0cde31099487ee92648fb482bbc3b2eade8215511ee3575206

SHA512
1bdd7d3698da0854871d43267fa7ceb70cf295b2da64485ab90b488272d787c3f772821db54def5f3de8817da517a6f8187d082c39ebfcd6a557c1f2f8b00b5d

Download Submit
C:\Users\Admin\Desktop\DismountWrite.3gp

Filesize
725KB

MD5
c2b632ca8397cb8664f9573f298cc1f2

SHA1
afe745dffe012754f3b92e4ac84b1ff58c54827a

SHA256
dd957f6aeb9f1e89195bb209c8235195cfbc6db900d00b63c9bf5b691165d1b0

SHA512
13376d3da6614fc17e2e3dd927fcbae854d07916b0e40f1b11b7f45409065a795218bcfde5bcb44eb8b14bbe8c19c568f41c2a993fb2d275d3ac2721b4e45862

Download Submit
C:\Users\Admin\Desktop\ExitDeny.snd

Filesize
695KB

MD5
e8cd539f8dddab54c2364b5c32dedf1d

SHA1
63a2410d9ac7cf5ead73db25659d0676f293c9c5

SHA256
fe4ea57a61413513c132ef6cfa11137c31e7caf8caf5585c40d96b4f2c0908f4

SHA512
ac8714eebf0e12eee5fd3e75e2a3274b2e250a9020476bc3a21ac10d8323768b9b3a796c2b6243a21c93f775e48ece994d7ca7cc452c71acbd094fe206cffc55

Download Submit
C:\Users\Admin\Desktop\ExpandConfirm.emf

Filesize
664KB

MD5
e0ee93800a7fc557e72abdf7b83187c4

SHA1
3ebfad128d31905c0cebbd1c2836665e8af23768

SHA256
56768a4d71a65891bc01de3b0832316ca5deda85ff01b4670aa1768d9dd828eb

SHA512
f8aa7057e97e809f067aa448cea89595841f1bef4972bd199fdb46c0c0f084f23e4cd1f4835ff3da47b9bdf2a96cdaa8b905719ac4534ee2c7060c4394c2c64d

Download Submit
C:\Users\Admin\Desktop\ExportMerge.ppt

Filesize
483KB

MD5
1d206c7357c8e102163a00ad336c2a4a

SHA1
3b43483e39c5e3226f5e3bbd474b5723414b26f5

SHA256
c1032b80caf06c065a86f64c7157b9616be1c2e75c5b866efc46a9d973151136

SHA512
88c3f5baeae99258fed92350206a742b158d522128956a575ed0f3c83908cfe6eea5f20f1c8d3b2ceff8f5552aeee20b0fdc70b64abffc413e78338f965b3ea2

Download Submit
C:\Users\Admin\Desktop\LimitProtect.avi

Filesize
392KB

MD5
e97b4ea486913ef49437c01716075135

SHA1
cff9ba9c76deb09c6efe85aff0ebbe28f15982c2

SHA256
f239deaad69075ea5d8e3830306dff9b8e4ad48addb3e0abfde48e2885df39a0

SHA512
f1c8a69ee7a2f64f08908fa14cb7f519a425824cbe27e7f00d37c5c073dd207424db274b68636fce2f897c653a964ee731fe447495a099624436c3c8d6ad30bb

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
c15af8e436d04bb72a7d7a9187a73080

SHA1
3ea0b4613779245befedae543afa050102e4dde4

SHA256
0bec71cd66731ada6fad8cbe744874e1558c5c440247938bd3c07e9c1d07e83e

SHA512
3f12c8cf5b95e3eb7863f6e1a16bc0ba50dcb2d1d87ceeaf7b24049e07ab64e019a743d10624262fbb9472f38c15b4455c219a44f3d007992eeaa8d0ae8cb9a3

Download Submit
C:\Users\Admin\Desktop\OpenTest.xlsx

Filesize
15KB

MD5
15c4cc33ddb4ef0afcaa3b539d98adec

SHA1
e7dde7da99ffe379cf4a68162a32cbe48e036bbc

SHA256
eea2fd98807abb6de615736f6a9d017b5faa094dc52769f77226ab098c3d9c9e

SHA512
3728c73db35dc4a87decdfee5b98d6521c1cca56df7b27b0c91c4d59283d6a8227d3e753bec76abcb50deb6b6f110b267fd7ca27a9aff7f2397174f33eded88f

Download Submit
C:\Users\Admin\Desktop\PopOptimize.eprtx

Filesize
997KB

MD5
9e6f581eca15a75c4d3e58b9c797ebde

SHA1
78e2b342d1b115d5286cf60c33437ff393be6093

SHA256
b6bd5f596247860a451fdd6adabffb40d71427e70c22f4ae0b06c1cf2d379f97

SHA512
8447b295f429411cc6b4b86bc3ac32cd6a8e36ee2f03b53151bf5ce6acc1d94c7c5ab2c09d99e6642358b98ca92271377732154b7f66eb3a2b7c0feca081a411

Download Submit
C:\Users\Admin\Desktop\ReadCopy.xlsx

Filesize
1.0MB

MD5
ba2d621be7ffb1b95b189a27e482ab62

SHA1
25cfedc5c99b5a9efd9412957f52b7a43d4a7f5b

SHA256
8775c91b50af5ad5a3dbdf66d585db2c0a6d9bee95d50cbc8fd2e0c82b81eb30

SHA512
fa4598467c122eafd2d9b440bcf1f6272e4ca6639ff1b0926a0de5751ec6b6ed16faf706dd9d2c32efc520a476cd59332761d95987445e0d71c528f6871917cb

Download Submit
C:\Users\Admin\Desktop\ReadPush.xlsx

Filesize
12KB

MD5
a4bea240e7868d40cbbc7ef9afd47e4b

SHA1
2d3569def8fb6c58a7832f0b94607af73ac449f6

SHA256
b8c868d54528e0f2ca37dfa703f1fbd28e5e84d663d2f696f0f3d0038fb5170d

SHA512
d98410439c0fc856e367aa3f11c46308eccf285f523fd755132ff01ee00019647aea60e312af3ec06b0002adaead649d16631d381df0e164d5b2e336ff3f0f6f

Download Submit
C:\Users\Admin\Desktop\RedoRequest.cmd

Filesize
906KB

MD5
4ff823990acf54531842f626b87d3ce6

SHA1
79278826c654cea54756e990c6893c939e44d2bf

SHA256
76660f5cd3fc82af5d0c55d7836fadc1256ef79e052e70d5cde7020e8627cb47

SHA512
f9a9f72177ae2f9254e434382383af93f72585d18c3f9c598c3e2685b3d7b89c3dc7e589d7e47f4e06d7f6ab7cfbc040c30b5ce74a2853f98332d6388d8f8583

Download Submit
C:\Users\Admin\Desktop\RegisterRedo.contact

Filesize
936KB

MD5
f58bef70786deb39adc07b5b1962d72d

SHA1
391791bc95f3efcab640279662e854204f425e3d

SHA256
541e8e50e69be7b1d95f3106c94b125104ce3ae9c081e7fff1eae89546839af6

SHA512
436b5a2a1ac4f55576322191a1dd7e5a3b68a676cf764a8e6dab5bd2f343d574cb787793edcd2a7bd529dc4afb18aa5c251446adf7b54313c2607e480b79c81b

Download Submit
C:\Users\Admin\Desktop\RemoveRepair.3gp2

Filesize
846KB

MD5
edc2fe076ebcb1bc070260172cbe17fb

SHA1
4ede58d5af8d77cc872d141cc7720a0bd7d21948

SHA256
1c54897982bac90bdcf9ed306a232452bfdfada87ecf5be9382df4880034078a

SHA512
adc0a4cf45d5340a5fc8348a2fe28aa73d4b6317ae342e017540ef683ca66d514e1936e1906582e7e8d34e062fe1e701f84d0f9f9ea01a11ed34d9c9a7febc2a

Download Submit
C:\Users\Admin\Desktop\RenameExport.mht

Filesize
634KB

MD5
8535d3a232ec155a10b1e61e2b4f7612

SHA1
65c0c5efbd28b277cd5ce7c3281dec605fc9b014

SHA256
0402802e8d73592f63444a5b9b923e44bf71de9571c27d48023e4317449193c6

SHA512
cb8aac02aeebf36c56ad3919c620dfbe2a4df9c014414a9382f1d4aa88706b1a65fdc6d271ca7d21cbc05f1fa1c8332b6b48f0fd36211d821bb9471766bd8d96

Download Submit
C:\Users\Admin\Desktop\RenameOpen.ps1

Filesize
423KB

MD5
02211ffd1444082f3f7b3bfe789919ab

SHA1
910245d3b1d747e0d64d1d5adeca77199b9e4a7a

SHA256
dc681b0fd8541b5bd4d6007f2618f282c83f86f273830c5dc877c51d891097b7

SHA512
8267373d301e7019f0a48b952557c07f4993524955977d50c33459ef1b52c5e925922ed21736f4484c2c258001e422b1198f087346935be6503b4caf33d206b3

Download Submit
C:\Users\Admin\Desktop\RenameUpdate.xml

Filesize
785KB

MD5
4dc8ca9bef89f46305e497d9740e50f0

SHA1
6737e696394901c0b5f85208868c112b2ebc7b28

SHA256
978a70defe17f45756f226ae506ec84199c5e52752a963775c9cc1f472dc3036

SHA512
1c37cdd5e19787c42886674bdb4fdcf45e245b844649cd14cc1eb0c318dc38482598e8dc0ea72640af3e05f3add366e130fe411f48bc1c37a147e977ac4caff1

Download Submit
C:\Users\Admin\Desktop\RestartStep.reg

Filesize
604KB

MD5
803827532ad373cdb09940859703af92

SHA1
3ffc2d849fca7f198fc32793498585d7005f5c56

SHA256
0fabbdb48e11cebb860fe91df14ca588f33a97f4a02e7e8b8c87627503d25609

SHA512
8c36feb9668b1e1598d5baa8fcf2b1e0c95e2ced060eff7a10be9299f5889c3c96e0cca417876b6e25d964cdb8a0d9e29813cb3424eb9b47f7816693be13389d

Download Submit
C:\Users\Admin\Desktop\SubmitSave.docx

Filesize
12KB

MD5
d65fd599e6bf8176c6a1203862a3f7cf

SHA1
c438728c3ccb89646f47135a69ba9ee3d147fd56

SHA256
a2693f58eb798d016e1e9832a5c49c3028fea094bc57ea21c930f4edea08c7b6

SHA512
9bafa03681fbcf9040d36f1d8c43f69db849e31e50f9a7cdb0918c6d3d8a20d3c451ca32fc17fd5ec6fd335803d746a5cc9cef9e3ba8e48220f0a2715997ad13

Download Submit
C:\Users\Admin\Desktop\SuspendRestart.vsdm

Filesize
574KB

MD5
733a05510aad1c8a8d450cc3ceb3490a

SHA1
d6e08a1b17644cd00aab8c6a19f36274e3793a8d

SHA256
98776c50e6019d7388cfbf73a2a2759a1cc2eb979c252ecc19d380362eb152cc

SHA512
21b319792d88aa44ab57b539899dff144ecb230c3c48ed5fc9f8e452cab1f4af4dbd93f288f7d3f1ecbe7f4fe8a656e5a3dbf4820a3ba981604efe08c04164f2

Download Submit
C:\Users\Admin\Desktop\SwitchUninstall.ogg

Filesize
816KB

MD5
84cb1dc4912f2188af2676be2a3d53cb

SHA1
e4cc5ef876fe0d3f5c5ea4aad29422c601f27a10

SHA256
b5496b4a44b82b20a12eb9ce6a745913f3845a832d41087340647fc390ea6786

SHA512
f52f7cfec4a80a895c26ef6db1a506c26c45b92cc58b490e8da2271133430e4c40c157f0c847a2bcf5f6c7d418b10f2d7c82e0a175c8a062a50ea263ede878df

Download Submit
C:\Users\Admin\Desktop\UndoCompress.DVR

Filesize
1.4MB

MD5
c6533875ecca000526a869f849b79cec

SHA1
408a1df8af7fccaf5462243f1804f785261066a4

SHA256
6d29be81df530aaab966d5fa08d639995fde35863e1cd53622f04504f521d06b

SHA512
17502d577e7a5e90e8cdfbf34a5a40a0d5211e4980445088b21a9b8d698d4c861a950135cb5d273bc9367e69c2a941a2dcca8a9d94a220d2c96e2d9c8bf569d1

Download Submit
C:\Users\Admin\Desktop\UninstallNew.jtx

Filesize
513KB

MD5
226b22b0eb4de9c3221a2c7c6ae24c3c

SHA1
9ecd5275f3dc44f907b6233e0d7ce2ec57840614

SHA256
47e09518a49f962d66250f3917f924dfb1253718606030dcec3ac9624e0af781

SHA512
43cf319c0cb8cdda578f99ffe32fa78819d1fa3dfaa6ec0c274962771378d62895949f69aef849bd822c1fe92f68d6b1c76424642ba8f15b29e7599cba276c5a

Download Submit
C:\Users\Admin\Desktop\UnlockSave.xps

Filesize
362KB

MD5
c65421c2802e8611e9fd90cd63d27959

SHA1
5e48d97f3683cb28ed9b4eb556208b174dbdf490

SHA256
359a172d86f6bf710482b66b00ac25f1e38a5139140e5aba8f9549d4a8473fdf

SHA512
867de704c59543a2d6e19af4a14ad5e698379b17f196b649921832cfccd230cf2de268d39242908bfff1d147b2122490d8efe3331e76cfb550f1c0999ed7b078

Download Submit
C:\Users\Admin\Desktop\UseNew.ppsm

Filesize
544KB

MD5
02a0af7e7cdd2b85284ddd50e6b33086

SHA1
69544e8b63ce7275818be9f943b2b78413bfe138

SHA256
5cdbfdc0cd4460dc23ef275e9037c65d7f29cc391a5bd50fe6cd3e838f26447e

SHA512
95995717634043077cf46377b8b49c34771561a376f195c733642a0e5c861d4957ae3f9341b10975e954fd7363d4cf79c26958742f980f1aae42f33d0bc89d54

Download Submit
C:\Users\Admin\Desktop\WriteCheckpoint.tif

Filesize
967KB

MD5
7be32f208090846f157b4d5fdcd1fbe3

SHA1
26b9cbaf579b62c90a53f599f774ab2472c4fbbc

SHA256
f6143d32a544e24f220ffb1b606c059e92d38d4d0ace9b75805881f2dba55e14

SHA512
844f964107adebd44881b117a2afe1f5339f9035a7de15f6b8f1c60ac2ececae7cd89398a48391b1c2034a598b02ac84efa3ed3d078e3d7b1efb1276c857d822

Download Submit
memory/1868-8-0x0000000005090000-0x00000000050A2000-memory.dmp

Filesize
72KB

Download
memory/1868-10-0x0000000005140000-0x000000000518C000-memory.dmp

Filesize
304KB

Download
memory/1868-9-0x00000000050F0000-0x000000000512C000-memory.dmp

Filesize
240KB

Download
memory/1868-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1868-7-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/1868-6-0x0000000006040000-0x0000000006658000-memory.dmp

Filesize
6.1MB

Download
memory/1868-5-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/1868-4-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1868-3-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/1868-2-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/1868-1-0x00000000004F0000-0x0000000000542000-memory.dmp

Filesize
328KB

Download
memory/1868-39-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1868-40-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download