redline | 6a8bcf6323187b363a010c14c33f6577a03d8dc8f4f7bc21acea0b2bce80a983

Resubmissions

31-01-2025 21:05

250131-zxg13sxjgw 10

31-01-2025 21:01

250131-zt6j9sxjcx 10

Analysis

max time kernel
50s
max time network
48s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31-01-2025 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GodsFxckTools 2.5.exe
Size

14.0MB
MD5

6190c77e3fe2aead6144fede72fe9d39
SHA1

0d24a76b22f39b74f8b14eb2064139067ad2b47d
SHA256

6a8bcf6323187b363a010c14c33f6577a03d8dc8f4f7bc21acea0b2bce80a983
SHA512

54bb0d5529375e44fd28cfd7c285396da4bccde6eaf658cb7cd9cc37c366d646aae9e8acc65107e8749b2d1c643754a5ce37f38ff1ba424880abc4e52e37bab4
SSDEEP

6144:riRQ9JQlU61nUt/ZoAsvRVZlOvraB6JBrWrZQMQsdx:riRQ92scXJlOvVBE4sdx

Score

10^/10

redline discovery infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1680-1-0x0000000000630000-0x000000000065E000-memory.dmp	family_redline

Redline family
redline

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GodsFxckTools 2.5.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133828309462178744"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe
Token: SeShutdownPrivilege	2916	chrome.exe
Token: SeCreatePagefilePrivilege	2916	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe
2916	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2100	2916	chrome.exe	95
PID 2916 wrote to memory of 2100	2916	chrome.exe	95
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 2744	2916	chrome.exe	96
PID 2916 wrote to memory of 3268	2916	chrome.exe	97
PID 2916 wrote to memory of 3268	2916	chrome.exe	97
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98
PID 2916 wrote to memory of 4392	2916	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\GodsFxckTools 2.5.exe
"C:\Users\Admin\AppData\Local\Temp\GodsFxckTools 2.5.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9461dcc40,0x7ff9461dcc4c,0x7ff9461dcc58
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2324,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=1800 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,18360559817177457890,15421841874191552485,262144 --variations-seed-version=20250127-050148.939000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
57fc820226acd68888f87154156191f1

SHA1
bdfbae806b98065ae702d66748c220bb7b3c1dc9

SHA256
7ba7fac731be6fe664941fad082b81851828ac7f0c822d16a02974b432a37317

SHA512
be2bb04978c4323cd59bce5b61fdb558695cc5f7bac60edc0f80df143998b4b8a2df1714c0e585945e183f9493cc86a63a31b1bb731fb440518ef765ddd8fa93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cbbea377e5062b5b25abe09f2c1aee9d

SHA1
963dde366db61f47f5af8e993c1fa78c76173db9

SHA256
acb8773924c13e2d8e0cff8bac9cbaea2034ce2f07f9fa640af1db2f8750323b

SHA512
419278b3955a63a885a533510e9435e7f749a6897898148fd23458639988bbf688c08ab7711a23b2e01d26ac3abf852f075283f38c9b397b7469aeadf0e6a5ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6ce2e672370560e5e35d499b4276ca2

SHA1
a65210a2e29d6b3f0561b23667e1eb2b760f4114

SHA256
12715b5ec1e520f0a923b67ea79ef22922ab982ffcb2d775dfc5d1d0bb428bb4

SHA512
0c6348b8925025c7f1e02d633db612a24b423a1f6eb8941b0d35133635343fca645ebf883f5472655552282ea3775a6ea2d246d4cbe79bff4053bbdc639093c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
bd334b9f66e45e47c1be18ea7162dedb

SHA1
a4446074c5910a9cb82a5ac5e8dda059df77903b

SHA256
59837ec7e55b8d10b45e1b6852a49ea05ccbd4463c8070affa07b64435149f69

SHA512
6a168ee3d21f5b5fa8d5ab713befcd79f3d3c58c94c412a374415dc55b5a7221615e8457c82a3c66fa5d75c7f5628aec5b69983ea9db0143a525de84c818c28c

Download Submit
memory/1680-7-0x0000000002B40000-0x0000000002B52000-memory.dmp

Filesize
72KB

Download
memory/1680-10-0x0000000005040000-0x000000000508C000-memory.dmp

Filesize
304KB

Download
memory/1680-11-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/1680-12-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/1680-9-0x0000000005000000-0x000000000503C000-memory.dmp

Filesize
240KB

Download
memory/1680-8-0x0000000005110000-0x000000000521A000-memory.dmp

Filesize
1.0MB

Download
memory/1680-1-0x0000000000630000-0x000000000065E000-memory.dmp

Filesize
184KB

Download
memory/1680-6-0x0000000005620000-0x0000000005C38000-memory.dmp

Filesize
6.1MB

Download
memory/1680-5-0x0000000074EC0000-0x0000000075671000-memory.dmp

Filesize
7.7MB

Download
memory/1680-4-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download