redline | abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74

General

Target

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
Size

256KB
MD5

8ca675896f6c9ad9fe8deb1cc63bf8f5
SHA1

59ce426a1d26cf3a5a8552da59263475bfded136
SHA256

abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
SHA512

d9225a3903610408d8dfb7447f8ca37a4dec05b1b86ad56c4c99e4f22087ab75a2283e827032ebf03735276601ba87827b303a52ca06c04908314bc16872babc

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2464-43-0x000000000041E1AA-mapping.dmp	family_redline
behavioral2/memory/2464-47-0x0000000000700000-0x0000000000726000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

2041131341.exe1090905469.exeRegAsm.exe

pid process

3324 2041131341.exe
3752 1090905469.exe
2464 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1090905469.exe

description pid process target process

PID 3752 set thread context of 2464 3752 1090905469.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1090905469.exe

pid process

3752 1090905469.exe
3752 1090905469.exe

pid	process
3324	2041131341.exe
3752	1090905469.exe
2464	RegAsm.exe

description	pid	process	target process
PID 3752 set thread context of 2464	3752	1090905469.exe	RegAsm.exe

pid	process
3752	1090905469.exe
3752	1090905469.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe2041131341.exe1090905469.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
Token: SeDebugPrivilege	3324	2041131341.exe
Token: SeDebugPrivilege	3752	1090905469.exe
Token: SeDebugPrivilege	2464	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe1090905469.exe

description	pid	process	target process
PID 3996 wrote to memory of 3324	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 3996 wrote to memory of 3324	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 3996 wrote to memory of 3324	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	2041131341.exe
PID 3996 wrote to memory of 3752	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 3996 wrote to memory of 3752	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 3996 wrote to memory of 3752	3996	SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe	1090905469.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe
PID 3752 wrote to memory of 2464	3752	1090905469.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.62670.17922.27207.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\2041131341.exe
"C:\Users\Admin\AppData\Local\Temp\2041131341.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\AppData\Local\Temp\1090905469.exe
"C:\Users\Admin\AppData\Local\Temp\1090905469.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1090905469.exe
MD5
3ab5db8a82b6ca11f37100b4fa751c72

SHA1
a34ca15f4e9ce9364da1e3e2f12aac7ba45a12bc

SHA256
c0c68e99e32734375809943760576f5eb7f487360b58d311f1b4f7d6c8a0c6df

SHA512
c8d078a544353c7524877e8030dcb71f0e0ceb98daa9547ba592748731645e326a857b93f0d63571ace57ffcb9cd5216c88aba1651ff8d4ff01b62f0e535f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090905469.exe
MD5
3ab5db8a82b6ca11f37100b4fa751c72

SHA1
a34ca15f4e9ce9364da1e3e2f12aac7ba45a12bc

SHA256
c0c68e99e32734375809943760576f5eb7f487360b58d311f1b4f7d6c8a0c6df

SHA512
c8d078a544353c7524877e8030dcb71f0e0ceb98daa9547ba592748731645e326a857b93f0d63571ace57ffcb9cd5216c88aba1651ff8d4ff01b62f0e535f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2041131341.exe
MD5
526489ddbfd0d84e845ccd132cae5555

SHA1
a6a2b7c7d8e15ebc3918b212ca6952818fe8cf3a

SHA256
93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e

SHA512
fd4d0175487e06ac8ade388f5c7d43f80bc101cbfb2b2eeefb0b62be281e8eddc99a5a29124ca2bd0c4e25f649b9fe7b6154b7f86b392fadf3194d27651a7a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\2041131341.exe
MD5
526489ddbfd0d84e845ccd132cae5555

SHA1
a6a2b7c7d8e15ebc3918b212ca6952818fe8cf3a

SHA256
93e07d6f564005880909df7a48a6775e409d50fd09f4ea55962003631fb7d81e

SHA512
fd4d0175487e06ac8ade388f5c7d43f80bc101cbfb2b2eeefb0b62be281e8eddc99a5a29124ca2bd0c4e25f649b9fe7b6154b7f86b392fadf3194d27651a7a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2464-50-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2464-47-0x0000000000700000-0x0000000000726000-memory.dmp

Filesize
152KB

Download
memory/2464-46-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-43-0x000000000041E1AA-mapping.dmp

Download
memory/2464-52-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/2464-53-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2464-54-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2464-55-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2464-56-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3324-14-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3324-19-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3324-20-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/3324-21-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3324-23-0x0000000004A83000-0x0000000004A84000-memory.dmp

Filesize
4KB

Download
memory/3324-24-0x0000000004A84000-0x0000000004A86000-memory.dmp

Filesize
8KB

Download
memory/3324-22-0x0000000004A82000-0x0000000004A83000-memory.dmp

Filesize
4KB

Download
memory/3324-18-0x0000000004900000-0x000000000490C000-memory.dmp

Filesize
48KB

Download
memory/3324-16-0x0000000002260000-0x000000000226D000-memory.dmp

Filesize
52KB

Download
memory/3324-15-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3324-11-0x0000000000000000-mapping.dmp

Download
memory/3752-25-0x0000000000000000-mapping.dmp

Download
memory/3752-32-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3752-33-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3752-34-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/3752-36-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3752-37-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/3752-38-0x0000000006F80000-0x0000000006FAF000-memory.dmp

Filesize
188KB

Download
memory/3752-39-0x00000000053E1000-0x00000000053E2000-memory.dmp

Filesize
4KB

Download
memory/3752-40-0x0000000004C60000-0x0000000004C6B000-memory.dmp

Filesize
44KB

Download
memory/3752-41-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3752-29-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3752-28-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3996-2-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3996-10-0x0000000004B04000-0x0000000004B06000-memory.dmp

Filesize
8KB

Download
memory/3996-9-0x0000000004B03000-0x0000000004B04000-memory.dmp

Filesize
4KB

Download
memory/3996-8-0x0000000004B02000-0x0000000004B03000-memory.dmp

Filesize
4KB

Download
memory/3996-7-0x0000000004A40000-0x0000000004A49000-memory.dmp

Filesize
36KB

Download
memory/3996-6-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3996-5-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3996-4-0x00000000024A0000-0x00000000024AA000-memory.dmp

Filesize
40KB

Download
memory/3996-3-0x00000000738B0000-0x0000000073F9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads