redline | f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d

General

Target

apphost3.exe
Size

2.4MB
MD5

63c27795d4ec81c0ae682d0ce2dc2bc6
SHA1

841662e430710b633614c23a467027cd49e7dc82
SHA256

f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d
SHA512

54f1e5c2afd0d086d047d8a8fcfd68f29cf9ff9560fb74916e9d004302bc1c1ea93b55a5278174092a5fa2a98900300c3166d37f0a0943ee6655ef839b88d739

Score

10^/10

redline evasion infostealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3284-3-0x0000000005330000-0x00000000054FA000-memory.dmp	family_redline
behavioral2/memory/3284-5-0x0000000005A10000-0x0000000005BD8000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

apphost3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	apphost3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	apphost3.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

apphost3.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA apphost3.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

apphost3.exe

pid process

3284 apphost3.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1444 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

apphost3.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 3284 apphost3.exe
Token: SeDebugPrivilege 1444 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	apphost3.exe

pid	process
3284	apphost3.exe

pid	process
1444	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3284	apphost3.exe
Token: SeDebugPrivilege	1444	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

apphost3.execmd.exe

description	pid	process	target process
PID 3284 wrote to memory of 1004	3284	apphost3.exe	cmd.exe
PID 3284 wrote to memory of 1004	3284	apphost3.exe	cmd.exe
PID 3284 wrote to memory of 1004	3284	apphost3.exe	cmd.exe
PID 1004 wrote to memory of 1444	1004	cmd.exe	taskkill.exe
PID 1004 wrote to memory of 1444	1004	cmd.exe	taskkill.exe
PID 1004 wrote to memory of 1444	1004	cmd.exe	taskkill.exe
PID 1004 wrote to memory of 1112	1004	cmd.exe	choice.exe
PID 1004 wrote to memory of 1112	1004	cmd.exe	choice.exe
PID 1004 wrote to memory of 1112	1004	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\apphost3.exe
"C:\Users\Admin\AppData\Local\Temp\apphost3.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 3284 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\apphost3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3284
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-11-0x0000000000000000-mapping.dmp

Download
memory/1112-13-0x0000000000000000-mapping.dmp

Download
memory/1444-12-0x0000000000000000-mapping.dmp

Download
memory/3284-6-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/3284-4-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3284-5-0x0000000005A10000-0x0000000005BD8000-memory.dmp

Filesize
1.8MB

Download
memory/3284-0-0x0000000000400000-0x0000000000880000-memory.dmp

Filesize
4.5MB

Download
memory/3284-7-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/3284-8-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/3284-9-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/3284-10-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/3284-3-0x0000000005330000-0x00000000054FA000-memory.dmp

Filesize
1.8MB

Download
memory/3284-2-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3284-1-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads