redline | 3729cc0e9183d4e4e6e7c9b82311538cc4357e35f817c32791131cc62a32ae1a

General

Target

671e6f422545a4273412a90df532cfba.exe
Size

241KB
MD5

671e6f422545a4273412a90df532cfba
SHA1

f0fc814796366c45b48d998663f26b68bdf84150
SHA256

3729cc0e9183d4e4e6e7c9b82311538cc4357e35f817c32791131cc62a32ae1a
SHA512

2f07e3ce8a344347697a33346fef48cadab56c4e6bb815147bec8d832acee78652926d3e2ce318fa35f3b3fd99090f36148240fb2035c4a14c1f15261e8232c2

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2340-19-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/2340-20-0x0000000000420ECE-mapping.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

Mfdgizpvvdk2.exew3bnplf2.p5a.exew3bnplf2.p5a.tmpMfdgizpvvdk2.exe

pid process

2240 Mfdgizpvvdk2.exe
3856 w3bnplf2.p5a.exe
3844 w3bnplf2.p5a.tmp
2340 Mfdgizpvvdk2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mfdgizpvvdk2.exe

description pid process target process

PID 2240 set thread context of 2340 2240 Mfdgizpvvdk2.exe Mfdgizpvvdk2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2240	Mfdgizpvvdk2.exe
3856	w3bnplf2.p5a.exe
3844	w3bnplf2.p5a.tmp
2340	Mfdgizpvvdk2.exe

description	pid	process	target process
PID 2240 set thread context of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

671e6f422545a4273412a90df532cfba.exeMfdgizpvvdk2.exeMfdgizpvvdk2.exe

description	pid	process
Token: SeDebugPrivilege	984	671e6f422545a4273412a90df532cfba.exe
Token: SeDebugPrivilege	2240	Mfdgizpvvdk2.exe
Token: SeDebugPrivilege	2340	Mfdgizpvvdk2.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

671e6f422545a4273412a90df532cfba.exew3bnplf2.p5a.exeMfdgizpvvdk2.exe

description	pid	process	target process
PID 984 wrote to memory of 2240	984	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 984 wrote to memory of 2240	984	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 984 wrote to memory of 2240	984	671e6f422545a4273412a90df532cfba.exe	Mfdgizpvvdk2.exe
PID 984 wrote to memory of 3856	984	671e6f422545a4273412a90df532cfba.exe	w3bnplf2.p5a.exe
PID 984 wrote to memory of 3856	984	671e6f422545a4273412a90df532cfba.exe	w3bnplf2.p5a.exe
PID 984 wrote to memory of 3856	984	671e6f422545a4273412a90df532cfba.exe	w3bnplf2.p5a.exe
PID 3856 wrote to memory of 3844	3856	w3bnplf2.p5a.exe	w3bnplf2.p5a.tmp
PID 3856 wrote to memory of 3844	3856	w3bnplf2.p5a.exe	w3bnplf2.p5a.tmp
PID 3856 wrote to memory of 3844	3856	w3bnplf2.p5a.exe	w3bnplf2.p5a.tmp
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe
PID 2240 wrote to memory of 2340	2240	Mfdgizpvvdk2.exe	Mfdgizpvvdk2.exe

C:\Users\Admin\AppData\Local\Temp\671e6f422545a4273412a90df532cfba.exe
"C:\Users\Admin\AppData\Local\Temp\671e6f422545a4273412a90df532cfba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe
"C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe
"C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Users\Admin\AppData\Roaming\w3bnplf2.p5a.exe
"C:\Users\Admin\AppData\Roaming\w3bnplf2.p5a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\is-OAB86.tmp\w3bnplf2.p5a.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OAB86.tmp\w3bnplf2.p5a.tmp" /SL5="$30110,239637957,780800,C:\Users\Admin\AppData\Roaming\w3bnplf2.p5a.exe"
3⤵
- Executes dropped EXE
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mfdgizpvvdk2.exe.log

MD5
076d7c48064de4effadfe36d1857322d

SHA1
273f4d3f67c4ec0a637317ce2a536e52cc1c2090

SHA256
7cdcfb48cb249895caa7d3b5ce9ad53c7185d426f0f5669fe79bc5e047ff29ed

SHA512
e540c14a5093a1607dd47b0cdf96e21957d1b70aae24dcd99cdb3e3292451222760e8106b1e6e6091928b9998a6d307709e39081565a5e49d85c64e03bc55abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OAB86.tmp\w3bnplf2.p5a.tmp

MD5
2e235b3479d33384ce630bf617e38247

SHA1
1bb46d0bbbe1dc8c6194ea3ebbb786e72df8c781

SHA256
f9d962301954f9e0e9ead70a4ad9ff0a68ee5bf7ee2b70155792de1ac85f2672

SHA512
72e31cc6e812f6c4f9a244f2433f1006f5e3e52f5e6c17eb7ff04dfff20e55fdf93f0e8ff78a854041d363d986342f6919c4ab79aefb4780efd16a6ab701f44f

Download Submit
C:\Users\Admin\AppData\Roaming\w3bnplf2.p5a.exe

MD5
017289d3b7ab4d3f9eb701bf3f5422b5

SHA1
7aa877f84a589b00daebf9d0b0fe2ccc7248c74d

SHA256
f7851c348584ce432dfd8e69b74a168c7dec33ebfddc29c96ad2d6b83aded083

SHA512
7162ee337e89cc6b371412bbc1471c583d46bd36653c8550d7c352451d5442a394cb760769d19d0d1beb109dc9bfee3b56daacba8d20ea6394010a15def656dd

Download Submit
C:\Users\Admin\AppData\Roaming\w3bnplf2.p5a.exe

MD5
017289d3b7ab4d3f9eb701bf3f5422b5

SHA1
7aa877f84a589b00daebf9d0b0fe2ccc7248c74d

SHA256
f7851c348584ce432dfd8e69b74a168c7dec33ebfddc29c96ad2d6b83aded083

SHA512
7162ee337e89cc6b371412bbc1471c583d46bd36653c8550d7c352451d5442a394cb760769d19d0d1beb109dc9bfee3b56daacba8d20ea6394010a15def656dd

Download Submit
C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
C:\Users\Admin\AppData\Roaming\zczsadzz.2i4\Mfdgizpvvdk2.exe

MD5
a9f97dc2289b31d13ca8dbcb70505ae2

SHA1
37fb44ea49c12e46c4865304ea0740b14f49daad

SHA256
f5104bdce7833fc1389cf0e5c5e46a07e69cf8e85abb4062fc4d00278fbcdfb0

SHA512
efb132f3ec5f29ff64195e546d5bbd57a2618428e7651ffb60efa8e79f8f966b8a60062118e645c24acdca6f01ed9f8de640c750cea696f6862be83cb5c1f369

Download Submit
memory/984-3-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/984-2-0x00007FF90B900000-0x00007FF90C2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2240-9-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2240-8-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/2240-5-0x0000000000000000-mapping.dmp

Download
memory/2240-16-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x00000000054D0000-0x000000000550A000-memory.dmp

Filesize
232KB

Download
memory/2240-18-0x0000000005790000-0x00000000057A6000-memory.dmp

Filesize
88KB

Download
memory/2340-20-0x0000000000420ECE-mapping.dmp

Download
memory/2340-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2340-23-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/2340-26-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2340-27-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2340-28-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2340-29-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2340-30-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3844-14-0x0000000000000000-mapping.dmp

Download
memory/3856-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads