redline | e18183cba24914f1855b8e9f371bfe580b48a80fc99d8bcf69e1d8921c638384

General

Target

SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe
Size

689KB
MD5

f0092d7c04e468c5b19773b672566637
SHA1

e9e5019301b5ece3d3d350f9be77cd07ff6e31c1
SHA256

e18183cba24914f1855b8e9f371bfe580b48a80fc99d8bcf69e1d8921c638384
SHA512

0e50480a883436ea888f9a97c25b769cfccfe559d41a4b9717c08c5ab603d255c07dc5d88e02e09c944cbd90f87e073c5ef73cd39bb08ea92fce01776649638c

Score

10^/10

redline infostealer upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3864-11-0x00000000097C0000-0x00000000097E4000-memory.dmp	family_redline
behavioral2/memory/3864-13-0x0000000009830000-0x0000000009852000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

bestof.exe

pid process

3864 bestof.exe

pid	process
3864	bestof.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe	upx
C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
14	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bestof.exe

description pid process

Token: SeDebugPrivilege 3864 bestof.exe

description	pid	process
Token: SeDebugPrivilege	3864	bestof.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe

description	pid	process	target process
PID 2432 wrote to memory of 3864	2432	SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe	bestof.exe
PID 2432 wrote to memory of 3864	2432	SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe	bestof.exe
PID 2432 wrote to memory of 3864	2432	SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe	bestof.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.PWSBanker.jc.23769.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe
bestof.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe

MD5
a7e9e9cf220846cf4886665f5dca877d

SHA1
25316dff51b674a33b4db6aa4187477f1bcfb72f

SHA256
f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e

SHA512
b2922db7d114e27eda9d436bcd7bb7c29791fbee25a5807223dd9fc0f6b913b0caacbd0518ce97494f42a8bc2f44b0f33ec1cfb0144b41249589f64b23f266db

Download Submit
C:\Users\Admin\AppData\Roaming\leadentop\bestof.exe

MD5
a7e9e9cf220846cf4886665f5dca877d

SHA1
25316dff51b674a33b4db6aa4187477f1bcfb72f

SHA256
f8c01a2d1b187aee1a6b8fc7cb87369cbc920e6c288f53af356287cb3def107e

SHA512
b2922db7d114e27eda9d436bcd7bb7c29791fbee25a5807223dd9fc0f6b913b0caacbd0518ce97494f42a8bc2f44b0f33ec1cfb0144b41249589f64b23f266db

Download Submit
memory/2432-3-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x00000000051F4000-0x00000000051F5000-memory.dmp

Filesize
4KB

Download
memory/3864-10-0x0000000072A90000-0x000000007317E000-memory.dmp

Filesize
6.9MB

Download
memory/3864-7-0x0000000005481000-0x0000000005482000-memory.dmp

Filesize
4KB

Download
memory/3864-8-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3864-9-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/3864-4-0x0000000000000000-mapping.dmp

Download
memory/3864-11-0x00000000097C0000-0x00000000097E4000-memory.dmp

Filesize
144KB

Download
memory/3864-12-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/3864-13-0x0000000009830000-0x0000000009852000-memory.dmp

Filesize
136KB

Download
memory/3864-14-0x0000000009EC0000-0x0000000009EC1000-memory.dmp

Filesize
4KB

Download
memory/3864-15-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/3864-16-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/3864-17-0x000000000A4D0000-0x000000000A4D1000-memory.dmp

Filesize
4KB

Download
memory/3864-18-0x000000000A620000-0x000000000A621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads