redline | 08fa32b60c3a2d7c71e3be07021113e25eb9d13a79b34734f69efb341a88604f

General

Target

3fa383ee84580d83880217fd61449698.exe
Size

418KB
MD5

3fa383ee84580d83880217fd61449698
SHA1

aa78a35156892e68d6a0e93ff3f34c30faea0c1f
SHA256

08fa32b60c3a2d7c71e3be07021113e25eb9d13a79b34734f69efb341a88604f
SHA512

4b41615d89efe3cf63f680481e09003d67716c7b45c4ad3d02944e720a900008db166c5bc604f1dacbc5b6c0231b008c2825ceaf89408866a3223c18c038d265

Score

10^/10

redline v1 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

v1

C2

199.195.251.96:43073

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1548-63-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1548-64-0x000000000041622A-mapping.dmp	family_redline
behavioral1/memory/1548-65-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

3fa383ee84580d83880217fd61449698.exe

description pid process target process

PID 1684 set thread context of 1548 1684 3fa383ee84580d83880217fd61449698.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

1548 AddInProcess32.exe
1548 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3fa383ee84580d83880217fd61449698.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1684 3fa383ee84580d83880217fd61449698.exe
Token: SeDebugPrivilege 1548 AddInProcess32.exe

description	pid	process	target process
PID 1684 set thread context of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe

pid	process
1548	AddInProcess32.exe
1548	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1684	3fa383ee84580d83880217fd61449698.exe
Token: SeDebugPrivilege	1548	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3fa383ee84580d83880217fd61449698.exe

description	pid	process	target process
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe
PID 1684 wrote to memory of 1548	1684	3fa383ee84580d83880217fd61449698.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\3fa383ee84580d83880217fd61449698.exe
"C:\Users\Admin\AppData\Local\Temp\3fa383ee84580d83880217fd61449698.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1548-64-0x000000000041622A-mapping.dmp

Download
memory/1548-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1548-67-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1684-59-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/1684-61-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/1684-62-0x00000000009F0000-0x00000000009FB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing