redline | afed0a47186fef3c335df0a826aa6629133613755da5ca465b444062831124b4

General

Target

e5061882fa11230c04d4114f25ae4a64.exe
Size

627KB
MD5

e5061882fa11230c04d4114f25ae4a64
SHA1

5852fa886404603f323f861a205a87e463868c9f
SHA256

afed0a47186fef3c335df0a826aa6629133613755da5ca465b444062831124b4
SHA512

94df77e559aa98ba50e311f9b2045dfcbbc1f591cf3af232aafad5115effc1d6f26fb8accbdbb64615950edf665f5e79aa0116a0279644fd86c03ce78a53060d

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/192-13-0x0000000002520000-0x0000000002549000-memory.dmp	family_redline
behavioral2/memory/192-15-0x0000000002940000-0x0000000002967000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

noabu.exe

pid process

192 noabu.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
192	noabu.exe

flow	ioc
17	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e5061882fa11230c04d4114f25ae4a64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e5061882fa11230c04d4114f25ae4a64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e5061882fa11230c04d4114f25ae4a64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

noabu.exe

description pid process

Token: SeDebugPrivilege 192 noabu.exe

description	pid	process
Token: SeDebugPrivilege	192	noabu.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e5061882fa11230c04d4114f25ae4a64.exe

description	pid	process	target process
PID 644 wrote to memory of 192	644	e5061882fa11230c04d4114f25ae4a64.exe	noabu.exe
PID 644 wrote to memory of 192	644	e5061882fa11230c04d4114f25ae4a64.exe	noabu.exe
PID 644 wrote to memory of 192	644	e5061882fa11230c04d4114f25ae4a64.exe	noabu.exe

C:\Users\Admin\AppData\Local\Temp\e5061882fa11230c04d4114f25ae4a64.exe
"C:\Users\Admin\AppData\Local\Temp\e5061882fa11230c04d4114f25ae4a64.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Roaming\paperships\noabu.exe
noabu.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\paperships\noabu.exe

MD5
edf5924ecc6f37c1bcea5a1b4c3378be

SHA1
936ef778a6d8a6f5fbd5a50c5eb08cea58a846ce

SHA256
fa8288121fc03ad692564b12fa8483fe51f4086910d748db2be43eebb6a67de2

SHA512
9bec4280c9ce85db81cac7794aa68be8ac49793c2f65f4629eb5d6fd4d4f8e0558dfc016d74c9c6f589b3a1bee5f6bc6c951977cb7f613520bc6b4a6d91aaee9

Download Submit
C:\Users\Admin\AppData\Roaming\paperships\noabu.exe

MD5
edf5924ecc6f37c1bcea5a1b4c3378be

SHA1
936ef778a6d8a6f5fbd5a50c5eb08cea58a846ce

SHA256
fa8288121fc03ad692564b12fa8483fe51f4086910d748db2be43eebb6a67de2

SHA512
9bec4280c9ce85db81cac7794aa68be8ac49793c2f65f4629eb5d6fd4d4f8e0558dfc016d74c9c6f589b3a1bee5f6bc6c951977cb7f613520bc6b4a6d91aaee9

Download Submit
memory/192-14-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/192-26-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/192-15-0x0000000002940000-0x0000000002967000-memory.dmp

Filesize
156KB

Download
memory/192-25-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/192-8-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/192-9-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/192-10-0x00000000730A0000-0x000000007378E000-memory.dmp

Filesize
6.9MB

Download
memory/192-11-0x0000000000980000-0x00000000009B5000-memory.dmp

Filesize
212KB

Download
memory/192-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/192-17-0x00000000052B2000-0x00000000052B3000-memory.dmp

Filesize
4KB

Download
memory/192-5-0x0000000000000000-mapping.dmp

Download
memory/192-24-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/192-13-0x0000000002520000-0x0000000002549000-memory.dmp

Filesize
164KB

Download
memory/192-16-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/192-18-0x00000000052B3000-0x00000000052B4000-memory.dmp

Filesize
4KB

Download
memory/192-19-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/192-20-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/192-21-0x00000000052B4000-0x00000000052B6000-memory.dmp

Filesize
8KB

Download
memory/192-22-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/192-23-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/644-4-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/644-3-0x0000000000A40000-0x0000000000B0F000-memory.dmp

Filesize
828KB

Download
memory/644-2-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads