redline | f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d

General

Target

apphost3.exe
Size

2.4MB
MD5

63c27795d4ec81c0ae682d0ce2dc2bc6
SHA1

841662e430710b633614c23a467027cd49e7dc82
SHA256

f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d
SHA512

54f1e5c2afd0d086d047d8a8fcfd68f29cf9ff9560fb74916e9d004302bc1c1ea93b55a5278174092a5fa2a98900300c3166d37f0a0943ee6655ef839b88d739

Score

10^/10

redline evasion infostealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1892-3-0x00000000050E0000-0x00000000052AA000-memory.dmp	family_redline
behavioral1/memory/1892-4-0x0000000004F10000-0x00000000050D8000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

apphost3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	apphost3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	apphost3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

apphost3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apphost3.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

apphost3.exe

pid process

1892 apphost3.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1080 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

apphost3.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1892 apphost3.exe
Token: SeDebugPrivilege 1080 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	apphost3.exe

pid	process
1892	apphost3.exe

pid	process
1080	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1892	apphost3.exe
Token: SeDebugPrivilege	1080	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

apphost3.execmd.exe

description	pid	process	target process
PID 1892 wrote to memory of 1668	1892	apphost3.exe	cmd.exe
PID 1892 wrote to memory of 1668	1892	apphost3.exe	cmd.exe
PID 1892 wrote to memory of 1668	1892	apphost3.exe	cmd.exe
PID 1892 wrote to memory of 1668	1892	apphost3.exe	cmd.exe
PID 1668 wrote to memory of 1080	1668	cmd.exe	taskkill.exe
PID 1668 wrote to memory of 1080	1668	cmd.exe	taskkill.exe
PID 1668 wrote to memory of 1080	1668	cmd.exe	taskkill.exe
PID 1668 wrote to memory of 1080	1668	cmd.exe	taskkill.exe
PID 1668 wrote to memory of 552	1668	cmd.exe	choice.exe
PID 1668 wrote to memory of 552	1668	cmd.exe	choice.exe
PID 1668 wrote to memory of 552	1668	cmd.exe	choice.exe
PID 1668 wrote to memory of 552	1668	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\apphost3.exe
"C:\Users\Admin\AppData\Local\Temp\apphost3.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1892 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\apphost3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1892
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-7-0x0000000000000000-mapping.dmp

Download
memory/1080-6-0x0000000000000000-mapping.dmp

Download
memory/1668-5-0x0000000000000000-mapping.dmp

Download
memory/1892-0-0x0000000000400000-0x0000000000880000-memory.dmp

Filesize
4.5MB

Download
memory/1892-1-0x00000000026E0000-0x00000000026F1000-memory.dmp

Filesize
68KB

Download
memory/1892-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1892-3-0x00000000050E0000-0x00000000052AA000-memory.dmp

Filesize
1.8MB

Download
memory/1892-4-0x0000000004F10000-0x00000000050D8000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads