redline | 297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f

General

Target

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Size

1.3MB
MD5

5117da426fe56ffdde2c13745ff6b46b
SHA1

9327d4fd989a2f3681043af4c7809e0e693bd929
SHA256

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f
SHA512

53e1328a253cdf2d9298a0055e85ceb8a7d37e901a5eb5a679453a6fc6bf3496025edd2c73fb5edb3721a53bf02ccf44edfc09068a43a60ba2ced6d4e8b5de26

Score

10^/10

redline agilenet infostealer spyware

Malware Config

Extracted

Family

redline

C2

45.139.236.56:8734

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1884-121-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/1884-122-0x000000000041653E-mapping.dmp	family_redline

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2256-120-0x0000000005920000-0x000000000592B000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe

description	pid	process	target process
PID 2256 set thread context of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

1884 AddInProcess32.exe
1884 AddInProcess32.exe

pid	process
1884	AddInProcess32.exe
1884	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
Token: SeDebugPrivilege	1884	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe

description	pid	process	target process
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe
PID 2256 wrote to memory of 1884	2256	297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe
"C:\Users\Admin\AppData\Local\Temp\297976d069d3366a587c6de27aec29f2b729872d199a7e437ced83c4f1bb5c9f-20210421-122257.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-129-0x0000000005020000-0x0000000005626000-memory.dmp

Filesize
6.0MB

Download
memory/1884-130-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1884-126-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1884-127-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1884-125-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1884-135-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/1884-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1884-122-0x000000000041653E-mapping.dmp

Download
memory/1884-136-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/1884-134-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/1884-133-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/1884-128-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/2256-120-0x0000000005920000-0x000000000592B000-memory.dmp

Filesize
44KB

Download
memory/2256-114-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2256-118-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/2256-117-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/2256-116-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2256-119-0x00000000055D0000-0x0000000005ACE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads