redline | feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5

General

Target

forderung.pdf.exe
Size

265KB
MD5

e6de6f3450a5dbfc9299a582e74ab242
SHA1

3ecca1133b89e1032b8c77774089accf9ea2af85
SHA256

feea736830ca5f27a8bceb7f9ffd01218bbc7301b5d8d3ab5e0716471e5f8ad5
SHA512

a63f49e5da3bb6153c790272310f288d3e5cbffe23f2d33b30ca6f0911c8728cc09abd2974e1c100172799ea8bb164713ab81bd7b5cb126dbe95d6b1ce1fa472

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1052-18-0x0000000000400000-0x0000000000440000-memory.dmp	family_redline
behavioral1/memory/1052-19-0x000000000043BA5E-mapping.dmp	family_redline
behavioral1/memory/1052-21-0x0000000000400000-0x0000000000440000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

forderung.pdf.exe

description pid process target process

PID 324 set thread context of 1052 324 forderung.pdf.exe AddInProcess32.exe

description	pid	process	target process
PID 324 set thread context of 1052	324	forderung.pdf.exe	AddInProcess32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

forderung.pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	forderung.pdf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	forderung.pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

1052 AddInProcess32.exe
1052 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

forderung.pdf.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 324 forderung.pdf.exe
Token: SeDebugPrivilege 1052 AddInProcess32.exe

pid	process
1052	AddInProcess32.exe
1052	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	324	forderung.pdf.exe
Token: SeDebugPrivilege	1052	AddInProcess32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

forderung.pdf.exe

description	pid	process	target process
PID 324 wrote to memory of 864	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 864	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 864	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 864	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe
PID 324 wrote to memory of 1052	324	forderung.pdf.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\forderung.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\forderung.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-2-0x0000000003C50000-0x0000000003C61000-memory.dmp

Filesize
68KB

Download
memory/324-3-0x0000000003E50000-0x0000000003E61000-memory.dmp

Filesize
68KB

Download
memory/324-4-0x00000000001C0000-0x00000000001EB000-memory.dmp

Filesize
172KB

Download
memory/324-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/324-6-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/324-7-0x0000000006701000-0x0000000006702000-memory.dmp

Filesize
4KB

Download
memory/324-8-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/324-14-0x0000000003D80000-0x0000000003D8F000-memory.dmp

Filesize
60KB

Download
memory/324-15-0x0000000006702000-0x0000000006703000-memory.dmp

Filesize
4KB

Download
memory/324-16-0x0000000006703000-0x0000000006704000-memory.dmp

Filesize
4KB

Download
memory/324-17-0x0000000006704000-0x0000000006706000-memory.dmp

Filesize
8KB

Download
memory/1052-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-19-0x000000000043BA5E-mapping.dmp

Download
memory/1052-20-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1052-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-23-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads