redline | 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f

General

Target

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Size

1.3MB
MD5

5117da426fe56ffdde2c13745ff6b46b
SHA1

9327d4fd989a2f3681043af4c7809e0e693bd929
SHA256

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f
SHA512

53e1328a253cdf2d9298a0055e85ceb8a7d37e901a5eb5a679453a6fc6bf3496025edd2c73fb5edb3721a53bf02ccf44edfc09068a43a60ba2ced6d4e8b5de26

Score

10^/10

redline agilenet infostealer spyware

Malware Config

Extracted

Family

redline

C2

45.139.236.56:8734

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1512-63-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1512-64-0x000000000041653E-mapping.dmp	family_redline
behavioral1/memory/1512-65-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1612-62-0x0000000001EF0000-0x0000000001EFB000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe

description	pid	process	target process
PID 1612 set thread context of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

1512 AddInProcess32.exe
1512 AddInProcess32.exe

pid	process
1512	AddInProcess32.exe
1512	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Token: SeDebugPrivilege	1512	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe

description	pid	process	target process
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 1612 wrote to memory of 1512	1612	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
"C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-64-0x000000000041653E-mapping.dmp

Download
memory/1512-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-67-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1612-59-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1612-61-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1612-62-0x0000000001EF0000-0x0000000001EFB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads