redline | 83b897270a955267f21de7462bdbe05910e48825ef79cc8ae142713f925fb802

General

Target

skipper.exe
Size

1.1MB
MD5

dba8101da0c11a3026fbd7278f28f977
SHA1

0f17ce1e24adfe2386e6e25c68100749e5d79dbb
SHA256

83b897270a955267f21de7462bdbe05910e48825ef79cc8ae142713f925fb802
SHA512

f912e8a79c3a0275b57fd2b652fc92ccd5c7595ef329331f14a0529c109d7e72482ef98929a539b89516a972b8b455484a56d1ca20c5ba5dcea3b49c699b3a21

Score

10^/10

redline 1414 euu infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

EUU

C2

download3.info:80

Extracted

Family

redline

Botnet

1414

C2

188.119.112.16:46409

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2120-120-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/2120-121-0x00000000004171EE-mapping.dmp	family_redline
behavioral2/memory/200-142-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral2/memory/200-143-0x000000000042977E-mapping.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

761647212.exe381717225.exe

pid process

744 761647212.exe
1760 381717225.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
744	761647212.exe
1760	381717225.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

761647212.exe381717225.exe

description	pid	process	target process
PID 744 set thread context of 2120	744	761647212.exe	AddInProcess32.exe
PID 1760 set thread context of 200	1760	381717225.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

908 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AddInProcess32.exeAddInProcess32.exe

pid process

2120 AddInProcess32.exe
2120 AddInProcess32.exe
200 AddInProcess32.exe
200 AddInProcess32.exe

pid	process
908	PING.EXE

pid	process
2120	AddInProcess32.exe
2120	AddInProcess32.exe
200	AddInProcess32.exe
200	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

761647212.exeAddInProcess32.exe381717225.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	744	761647212.exe
Token: SeDebugPrivilege	2120	AddInProcess32.exe
Token: SeDebugPrivilege	1760	381717225.exe
Token: SeDebugPrivilege	200	AddInProcess32.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

skipper.exe761647212.exe381717225.execmd.exe

description	pid	process	target process
PID 2232 wrote to memory of 744	2232	skipper.exe	761647212.exe
PID 2232 wrote to memory of 744	2232	skipper.exe	761647212.exe
PID 2232 wrote to memory of 744	2232	skipper.exe	761647212.exe
PID 744 wrote to memory of 4052	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 4052	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 4052	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 4052	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 744 wrote to memory of 2120	744	761647212.exe	AddInProcess32.exe
PID 2232 wrote to memory of 1760	2232	skipper.exe	381717225.exe
PID 2232 wrote to memory of 1760	2232	skipper.exe	381717225.exe
PID 2232 wrote to memory of 1760	2232	skipper.exe	381717225.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 1760 wrote to memory of 200	1760	381717225.exe	AddInProcess32.exe
PID 2232 wrote to memory of 3116	2232	skipper.exe	cmd.exe
PID 2232 wrote to memory of 3116	2232	skipper.exe	cmd.exe
PID 2232 wrote to memory of 3116	2232	skipper.exe	cmd.exe
PID 3116 wrote to memory of 908	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 908	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 908	3116	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\skipper.exe
"C:\Users\Admin\AppData\Local\Temp\skipper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\761647212.exe
C:\Users\Admin\AppData\Local\Temp\761647212.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Local\Temp\381717225.exe
C:\Users\Admin\AppData\Local\Temp\381717225.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\skipper.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\PING.EXE
ping 0
3⤵
- Runs ping.exe
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log
MD5
6fc881dd3bb50496248d57709eb4ef65

SHA1
867fd7a0f033c421b5a49b153bbb7f0a2a9f35ad

SHA256
6ba63ec508ff5bafd8cbfdf69dae25950fca0cb1294849f416fdfa6760e1bc60

SHA512
69f67beb6094ce4c9bf8b9549992c423e0194ac80c8e1742dc57be26e4a885af6cfd7d1d37dd326266918fa71e41ca566e9a6a9c230b4571e17e0d9c7b553d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\381717225.exe
MD5
cca6e302974f8ad2cf237cbb402f7db8

SHA1
82483651f9c152a2ccf0a7f6a348c14daf73ccfc

SHA256
12da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827

SHA512
cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\381717225.exe
MD5
cca6e302974f8ad2cf237cbb402f7db8

SHA1
82483651f9c152a2ccf0a7f6a348c14daf73ccfc

SHA256
12da3023f88f28c58bfa10a19cf70481e263bed0ae9bd393369e6ed9b7971827

SHA512
cad0b4afd348085070f4a786bdcd62a5d01ca3413f07315956c09489b3ca92e09a893bc1960d25c9a650eeb3d0c4395a1b47d0562b359285794d9e4c0929ae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\761647212.exe
MD5
d51901e3386120269c6b08fcaa3816e7

SHA1
6b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e

SHA256
afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a

SHA512
5639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\761647212.exe
MD5
d51901e3386120269c6b08fcaa3816e7

SHA1
6b0a36ce8cb5390d4d53800e4bf5281fb0eb5d7e

SHA256
afd25aff257a6b31a2377b9633a0f4227da3112976c749c34858d85436d0af5a

SHA512
5639773bca6fdeefe91ca58776758c1abd2a8a67824365dd0140800ddaa3935dcd4568eeebe8163f564e8d3754bce65b339163a230bd7d17b5c6e16eb5c345f5

Download Submit
memory/200-142-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/200-143-0x000000000042977E-mapping.dmp

Download
memory/200-163-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/200-155-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/200-151-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/200-148-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/200-147-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/744-119-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/744-114-0x0000000000000000-mapping.dmp

Download
memory/744-117-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/908-150-0x0000000000000000-mapping.dmp

Download
memory/1760-134-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/1760-130-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1760-127-0x0000000000000000-mapping.dmp

Download
memory/2120-132-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2120-137-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/2120-139-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/2120-140-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/2120-141-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/2120-133-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/2120-135-0x0000000005690000-0x0000000005C96000-memory.dmp

Filesize
6.0MB

Download
memory/2120-138-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/2120-136-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/2120-126-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2120-120-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2120-125-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2120-124-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/2120-121-0x00000000004171EE-mapping.dmp

Download
memory/3116-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads