redline | 1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818

General

Target

1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe
Size

16KB
MD5

ea28f02c1be43708f4a53152a022900b
SHA1

515cec6125b3a21e5e9dc86661d75b8658835cf8
SHA256

1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818
SHA512

45956effd7889e28f1239e1c230cff9c51dc894a0675baf8b72acc84a0eada6f95083afd4eaeeb69cd60f014c1175fbc8ef132bc4de0ce47fde5d081894d4fa5

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2168-15-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/2168-16-0x0000000000421E02-mapping.dmp	family_redline
behavioral2/memory/580-38-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral2/memory/580-39-0x0000000000423FC2-mapping.dmp	family_redline
behavioral2/memory/1792-60-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral2/memory/1792-61-0x0000000000423F8A-mapping.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

zaopon.exemarfe.exeuserm.exe

pid process

4116 zaopon.exe
3876 marfe.exe
932 userm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4116	zaopon.exe
3876	marfe.exe
932	userm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zaopon.exemarfe.exeuserm.exe

description	pid	process	target process
PID 4116 set thread context of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 3876 set thread context of 580	3876	marfe.exe	AddInProcess32.exe
PID 932 set thread context of 1792	932	userm.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AddInProcess32.exeAddInProcess32.exeAddInProcess32.exe

pid process

2168 AddInProcess32.exe
580 AddInProcess32.exe
580 AddInProcess32.exe
1792 AddInProcess32.exe

pid	process
2168	AddInProcess32.exe
580	AddInProcess32.exe
580	AddInProcess32.exe
1792	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exezaopon.exemarfe.exeuserm.exeAddInProcess32.exeAddInProcess32.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe
Token: SeDebugPrivilege	4116	zaopon.exe
Token: SeDebugPrivilege	3876	marfe.exe
Token: SeDebugPrivilege	932	userm.exe
Token: SeDebugPrivilege	2168	AddInProcess32.exe
Token: SeDebugPrivilege	580	AddInProcess32.exe
Token: SeDebugPrivilege	1792	AddInProcess32.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exezaopon.exemarfe.exeuserm.execmd.exe

description	pid	process	target process
PID 4632 wrote to memory of 4116	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	zaopon.exe
PID 4632 wrote to memory of 4116	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	zaopon.exe
PID 4632 wrote to memory of 4116	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	zaopon.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4116 wrote to memory of 2168	4116	zaopon.exe	AddInProcess32.exe
PID 4632 wrote to memory of 3876	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	marfe.exe
PID 4632 wrote to memory of 3876	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	marfe.exe
PID 4632 wrote to memory of 3876	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	marfe.exe
PID 3876 wrote to memory of 528	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 528	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 528	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 3876 wrote to memory of 580	3876	marfe.exe	AddInProcess32.exe
PID 4632 wrote to memory of 932	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	userm.exe
PID 4632 wrote to memory of 932	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	userm.exe
PID 4632 wrote to memory of 932	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	userm.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 932 wrote to memory of 1792	932	userm.exe	AddInProcess32.exe
PID 4632 wrote to memory of 1596	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	cmd.exe
PID 4632 wrote to memory of 1596	4632	1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe	cmd.exe
PID 1596 wrote to memory of 4024	1596	cmd.exe	choice.exe
PID 1596 wrote to memory of 4024	1596	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe
"C:\Users\Admin\AppData\Local\Temp\1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\zaopon.exe
"C:\Users\Admin\AppData\Local\Temp\zaopon.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Users\Admin\AppData\Local\Temp\marfe.exe
"C:\Users\Admin\AppData\Local\Temp\marfe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Users\Admin\AppData\Local\Temp\userm.exe
"C:\Users\Admin\AppData\Local\Temp\userm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "1ce039aea64adef141e569f8b0ac547da1e4ae0920b4060de9041cf8f16db818.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 1
3⤵
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log
MD5
3375f93b9adc89753e8d23050bce6ca0

SHA1
9532d3600af4bd299e649e8dfd16896ba63fd27e

SHA256
dcea8294dccb23d9690c3f14ebe53b4ed0ee4da80171f238e9cf8160ac708295

SHA512
b4c65c9bb265992311707149cd2e285ae87eaabf179e046d2e38dd22901b84c1aa1ea94966d6f4eed31230f2869ccde47587ec65e92ca58d3a8b1f8358786a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\marfe.exe
MD5
96e94bdf437ef558b61c1d9cb2b06113

SHA1
df0f25f65c94b6694028e84e94d7183e66bc2b2e

SHA256
851e68d08465ef9a37f39b5d59ec87fd245356726a449478f1a5f01db8da46fa

SHA512
a7168be62716f94e20ba8c7453e0295d2c5fe98af822455515133b25f22c874548590f417295ef42fbc1025edfddb714283827a42602682a44f227334d0365a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\marfe.exe
MD5
96e94bdf437ef558b61c1d9cb2b06113

SHA1
df0f25f65c94b6694028e84e94d7183e66bc2b2e

SHA256
851e68d08465ef9a37f39b5d59ec87fd245356726a449478f1a5f01db8da46fa

SHA512
a7168be62716f94e20ba8c7453e0295d2c5fe98af822455515133b25f22c874548590f417295ef42fbc1025edfddb714283827a42602682a44f227334d0365a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\userm.exe
MD5
64ef32d30b602f6c89ef4108fa27ac9f

SHA1
e2466274344cf1a919a4ed9715a3f8e9aae6d0c1

SHA256
3b95cf1f90f4225939c4715b66599b5ffd3363409b67e1fb5a6e035017bea652

SHA512
c6676076a714f5f514c3ecc079907a42967240266ab5c9de1842665ea6eaba003ba4544c2dea8f3411e0157d3c8599c3a4303ea6e42381b54cb5404e0545ef4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\userm.exe
MD5
64ef32d30b602f6c89ef4108fa27ac9f

SHA1
e2466274344cf1a919a4ed9715a3f8e9aae6d0c1

SHA256
3b95cf1f90f4225939c4715b66599b5ffd3363409b67e1fb5a6e035017bea652

SHA512
c6676076a714f5f514c3ecc079907a42967240266ab5c9de1842665ea6eaba003ba4544c2dea8f3411e0157d3c8599c3a4303ea6e42381b54cb5404e0545ef4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaopon.exe
MD5
99442aa7c203e47ccea232bd3eaf7d38

SHA1
155d05aef1fb4341df0c573cf9ff90c94ec53d28

SHA256
658134ceb037b17adbb6be720759f485d84acbbcad019fff86a9e7deec53fc0f

SHA512
6c84df5d6ba9cec6fd65864b3f9a893ee73304c80e5669857054acd7f1e2206c8843fb4e867ce57347cf824fe1f111293266e16659dbf8c9612314957e19fd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaopon.exe
MD5
99442aa7c203e47ccea232bd3eaf7d38

SHA1
155d05aef1fb4341df0c573cf9ff90c94ec53d28

SHA256
658134ceb037b17adbb6be720759f485d84acbbcad019fff86a9e7deec53fc0f

SHA512
6c84df5d6ba9cec6fd65864b3f9a893ee73304c80e5669857054acd7f1e2206c8843fb4e867ce57347cf824fe1f111293266e16659dbf8c9612314957e19fd66

Download Submit
memory/580-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/580-39-0x0000000000423FC2-mapping.dmp

Download
memory/580-40-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/580-91-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/580-53-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/932-55-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/932-49-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/932-47-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/932-44-0x0000000000000000-mapping.dmp

Download
memory/1596-63-0x0000000000000000-mapping.dmp

Download
memory/1792-68-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/1792-62-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/1792-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1792-61-0x0000000000423F8A-mapping.dmp

Download
memory/2168-16-0x0000000000421E02-mapping.dmp

Download
memory/2168-75-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/2168-35-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2168-87-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/2168-36-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2168-37-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/2168-32-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2168-30-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2168-33-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2168-79-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/2168-78-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/2168-77-0x0000000006580000-0x0000000006581000-memory.dmp

Filesize
4KB

Download
memory/2168-17-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-76-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/2168-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3876-28-0x0000000001100000-0x0000000001102000-memory.dmp

Filesize
8KB

Download
memory/3876-34-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3876-26-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3876-24-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/3876-21-0x0000000000000000-mapping.dmp

Download
memory/4024-69-0x0000000000000000-mapping.dmp

Download
memory/4116-9-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/4116-14-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4116-6-0x0000000000000000-mapping.dmp

Download
memory/4116-13-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4116-10-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/4116-12-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4632-2-0x00007FF9C90A0000-0x00007FF9C9A8C000-memory.dmp

Filesize
9.9MB

Download
memory/4632-5-0x000000001C1F0000-0x000000001C1F2000-memory.dmp

Filesize
8KB

Download
memory/4632-3-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads