redline | 3729cc0e9183d4e4e6e7c9b82311538cc4357e35f817c32791131cc62a32ae1a

General

Target

671e6f422545a4273412a90df532cfba.exe
Size

241KB
MD5

671e6f422545a4273412a90df532cfba
SHA1

f0fc814796366c45b48d998663f26b68bdf84150
SHA256

3729cc0e9183d4e4e6e7c9b82311538cc4357e35f817c32791131cc62a32ae1a
SHA512

2f07e3ce8a344347697a33346fef48cadab56c4e6bb815147bec8d832acee78652926d3e2ce318fa35f3b3fd99090f36148240fb2035c4a14c1f15261e8232c2

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1128-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1128-16-0x0000000000420ECE-mapping.dmp	family_redline
behavioral1/memory/1128-19-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1128-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

Mfdgizpvvdk2.exeMfdgizpvvdk2.exeMfdgizpvvdk2.exeMfdgizpvvdk2.exe

pid process

1444 Mfdgizpvvdk2.exe
1012 Mfdgizpvvdk2.exe
1672 Mfdgizpvvdk2.exe
1128 Mfdgizpvvdk2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mfdgizpvvdk2.exe

description pid process target process

PID 1444 set thread context of 1128 1444 Mfdgizpvvdk2.exe Mfdgizpvvdk2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Mfdgizpvvdk2.exe

pid process

1444 Mfdgizpvvdk2.exe
1444 Mfdgizpvvdk2.exe
1444 Mfdgizpvvdk2.exe
1444 Mfdgizpvvdk2.exe

pid	process
1444	Mfdgizpvvdk2.exe
1012	Mfdgizpvvdk2.exe
1672	Mfdgizpvvdk2.exe
1128	Mfdgizpvvdk2.exe

description	pid	process	target process
PID 1444 set thread context of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe

pid	process
1444	Mfdgizpvvdk2.exe
1444	Mfdgizpvvdk2.exe
1444	Mfdgizpvvdk2.exe
1444	Mfdgizpvvdk2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

671e6f422545a4273412a90df532cfba.exeMfdgizpvvdk2.exeMfdgizpvvdk2.exe

description	pid	process
Token: SeDebugPrivilege	1040	671e6f422545a4273412a90df532cfba.exe
Token: SeDebugPrivilege	1444	Mfdgizpvvdk2.exe
Token: SeDebugPrivilege	1128	Mfdgizpvvdk2.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

671e6f422545a4273412a90df532cfba.exeMfdgizpvvdk2.exe

description	pid	process	target process
PID 1040 wrote to memory of 1444	1040	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 1040 wrote to memory of 1444	1040	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 1040 wrote to memory of 1444	1040	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 1040 wrote to memory of 1444	1040	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1012	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1012	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1012	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1012	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1672	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1672	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1672	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1672	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 1444 wrote to memory of 1128	1444	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe

C:\Users\Admin\AppData\Local\Temp\671e6f422545a4273412a90df532cfba.exe
"C:\Users\Admin\AppData\Local\Temp\671e6f422545a4273412a90df532cfba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe
"C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe
"C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe"
3⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe
"C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe"
3⤵
- Executes dropped EXE
PID:1672

C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe
"C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
C:\Users\Admin\AppData\Roaming\if0gvang.4yo\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
memory/1040-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1040-2-0x000007FEF63B0000-0x000007FEF6D9C000-memory.dmp

Filesize
9.9MB

Download
memory/1128-16-0x0000000000420ECE-mapping.dmp

Download
memory/1128-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1128-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1128-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1128-20-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1444-12-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/1444-11-0x0000000000370000-0x00000000003AA000-memory.dmp

Filesize
232KB

Download
memory/1444-9-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1444-8-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1444-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads