redline | ded9ced2ef59268364eed96c2403427c486cc8799c24bb38068d4bf69c486186

General

Target

keygen-step-2.exe
Size

357KB
MD5

8c4fe67a04fab5e6fc528d80fe934d92
SHA1

2dda7f80ae96ba0afa427b8dac4661ee2195b0ac
SHA256

ded9ced2ef59268364eed96c2403427c486cc8799c24bb38068d4bf69c486186
SHA512

86f0a6b357dde692f49e9718032fa3e94ee9bda78d10262a1b00f054d1d9be4fa8734c1f46e630bce5cc5aa2eee09d0d2c2d4206be9abb5b5ab0abc0d6c9f614

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1168-16-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/1168-17-0x0000000000420906-mapping.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

5411.tmp.exe5411.tmp.exe

pid process

3632 5411.tmp.exe
1168 5411.tmp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org
39 checkip.amazonaws.com

pid	process
3632	5411.tmp.exe
1168	5411.tmp.exe

flow	ioc
24	api.ipify.org
39	checkip.amazonaws.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

keygen-step-2.exe5411.tmp.exe

description	pid	process	target process
PID 4708 set thread context of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 3632 set thread context of 1168	3632	5411.tmp.exe	5411.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keygen-step-2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	keygen-step-2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	keygen-step-2.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4268 PING.EXE
4428 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

keygen-step-2.exe5411.tmp.exe

pid process

3268 keygen-step-2.exe
3268 keygen-step-2.exe
1168 5411.tmp.exe
1168 5411.tmp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5411.tmp.exe5411.tmp.exe

description pid process

Token: SeDebugPrivilege 3632 5411.tmp.exe
Token: SeDebugPrivilege 1168 5411.tmp.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

keygen-step-2.exe

pid process

4708 keygen-step-2.exe

pid	process
4268	PING.EXE
4428	PING.EXE

pid	process
3268	keygen-step-2.exe
3268	keygen-step-2.exe
1168	5411.tmp.exe
1168	5411.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3632	5411.tmp.exe
Token: SeDebugPrivilege	1168	5411.tmp.exe

pid	process
4708	keygen-step-2.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

keygen-step-2.execmd.exe5411.tmp.exe5411.tmp.execmd.exe

description	pid	process	target process
PID 4708 wrote to memory of 3632	4708	keygen-step-2.exe	5411.tmp.exe
PID 4708 wrote to memory of 3632	4708	keygen-step-2.exe	5411.tmp.exe
PID 4708 wrote to memory of 3632	4708	keygen-step-2.exe	5411.tmp.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 3268	4708	keygen-step-2.exe	keygen-step-2.exe
PID 4708 wrote to memory of 2712	4708	keygen-step-2.exe	cmd.exe
PID 4708 wrote to memory of 2712	4708	keygen-step-2.exe	cmd.exe
PID 4708 wrote to memory of 2712	4708	keygen-step-2.exe	cmd.exe
PID 2712 wrote to memory of 4268	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 4268	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 4268	2712	cmd.exe	PING.EXE
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 3632 wrote to memory of 1168	3632	5411.tmp.exe	5411.tmp.exe
PID 1168 wrote to memory of 3108	1168	5411.tmp.exe	cmd.exe
PID 1168 wrote to memory of 3108	1168	5411.tmp.exe	cmd.exe
PID 1168 wrote to memory of 3108	1168	5411.tmp.exe	cmd.exe
PID 3108 wrote to memory of 4428	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 4428	3108	cmd.exe	PING.EXE
PID 3108 wrote to memory of 4428	3108	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Roaming\5411.tmp.exe
"C:\Users\Admin\AppData\Roaming\5411.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Roaming\5411.tmp.exe
"C:\Users\Admin\AppData\Roaming\5411.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ping 127.0.0.1 -n 3 > nul & del "C:\Users\Admin\AppData\Roaming\5411.tmp.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:4428

C:\Users\Admin\AppData\Local\Temp\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-2.exe"
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-2.exe" >> NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5411.tmp.exe.log

MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Roaming\5411.tmp.exe

MD5
71e27a77011a6d73b28a9403f23e39c7

SHA1
7e6122eb754e9c6a085ba38234c4e3e2a4ba72d5

SHA256
0f1bd85289b945b02326245f1d49fe90850ec82ed1694ff193eb862bae5f492e

SHA512
51ecaddcc2c19f2ec84a7843902f3c0c1ddc9c6cbf45cc1d95d468045d65bf8582c75d2a8a8192f067c4bbf1db8c3a7f20e31f1db55e02e58f1501d522e07dec

Download Submit
C:\Users\Admin\AppData\Roaming\5411.tmp.exe

MD5
71e27a77011a6d73b28a9403f23e39c7

SHA1
7e6122eb754e9c6a085ba38234c4e3e2a4ba72d5

SHA256
0f1bd85289b945b02326245f1d49fe90850ec82ed1694ff193eb862bae5f492e

SHA512
51ecaddcc2c19f2ec84a7843902f3c0c1ddc9c6cbf45cc1d95d468045d65bf8582c75d2a8a8192f067c4bbf1db8c3a7f20e31f1db55e02e58f1501d522e07dec

Download Submit
C:\Users\Admin\AppData\Roaming\5411.tmp.exe

MD5
71e27a77011a6d73b28a9403f23e39c7

SHA1
7e6122eb754e9c6a085ba38234c4e3e2a4ba72d5

SHA256
0f1bd85289b945b02326245f1d49fe90850ec82ed1694ff193eb862bae5f492e

SHA512
51ecaddcc2c19f2ec84a7843902f3c0c1ddc9c6cbf45cc1d95d468045d65bf8582c75d2a8a8192f067c4bbf1db8c3a7f20e31f1db55e02e58f1501d522e07dec

Download Submit
memory/1168-27-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1168-29-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/1168-36-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/1168-35-0x0000000008830000-0x0000000008831000-memory.dmp

Filesize
4KB

Download
memory/1168-34-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/1168-33-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/1168-32-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/1168-28-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/1168-26-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/1168-25-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/1168-24-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1168-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1168-23-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/1168-17-0x0000000000420906-mapping.dmp

Download
memory/1168-20-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-12-0x0000000000000000-mapping.dmp

Download
memory/3108-37-0x0000000000000000-mapping.dmp

Download
memory/3268-10-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3268-9-0x0000000000401480-mapping.dmp

Download
memory/3268-8-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3632-14-0x0000000007610000-0x000000000764D000-memory.dmp

Filesize
244KB

Download
memory/3632-0-0x0000000000000000-mapping.dmp

Download
memory/3632-15-0x0000000007650000-0x0000000007666000-memory.dmp

Filesize
88KB

Download
memory/3632-6-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/3632-11-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/3632-3-0x0000000072EB0000-0x000000007359E000-memory.dmp

Filesize
6.9MB

Download
memory/3632-7-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/3632-4-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/4268-13-0x0000000000000000-mapping.dmp

Download
memory/4428-38-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads