redline | 328c5eb8908b83c474ab4ab892ac1c2cae066f1f55dbcd15d850b54cc0f4c3cc

General

Target

FAD165B5BA7DDB0389733F6B979EAE3E.exe
Size

2.4MB
MD5

fad165b5ba7ddb0389733f6b979eae3e
SHA1

e3641696b0cb2137501ad51501225ee79757ba2b
SHA256

328c5eb8908b83c474ab4ab892ac1c2cae066f1f55dbcd15d850b54cc0f4c3cc
SHA512

621ba451d47acb409ce309322236ce53c4dd514a40ece5cb3beaf509ce9241bf410e792efea2d2435d7fb0c87b2ee3c649f9a8274e0e852b534e1263954a95fc

Score

10^/10

redline @osix7 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@Osix7

C2

briaseynan.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-62-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1696-63-0x00000000004171EA-mapping.dmp	family_redline
behavioral1/memory/1696-64-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

build2.exe

pid process

660 build2.exe
Loads dropped DLL 1 IoCs

Processes:

AddInProcess32.exe

pid process

1696 AddInProcess32.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 icanhazip.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

FAD165B5BA7DDB0389733F6B979EAE3E.exe

description pid process target process

PID 1832 set thread context of 1696 1832 FAD165B5BA7DDB0389733F6B979EAE3E.exe AddInProcess32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

240 660 WerFault.exe build2.exe

pid	process
660	build2.exe

flow	ioc
18	icanhazip.com

description	pid	process	target process
PID 1832 set thread context of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe

pid	pid_target	process	target process
240	660	WerFault.exe	build2.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

AddInProcess32.exebuild2.exeWerFault.exe

pid	process
1696	AddInProcess32.exe
1696	AddInProcess32.exe
660	build2.exe
660	build2.exe
240	WerFault.exe
240	WerFault.exe
240	WerFault.exe
240	WerFault.exe
240	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

FAD165B5BA7DDB0389733F6B979EAE3E.exeAddInProcess32.exebuild2.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe
Token: SeDebugPrivilege	1696	AddInProcess32.exe
Token: SeDebugPrivilege	660	build2.exe
Token: SeDebugPrivilege	240	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

FAD165B5BA7DDB0389733F6B979EAE3E.exeAddInProcess32.exebuild2.exe

description	pid	process	target process
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1832 wrote to memory of 1696	1832	FAD165B5BA7DDB0389733F6B979EAE3E.exe	AddInProcess32.exe
PID 1696 wrote to memory of 660	1696	AddInProcess32.exe	build2.exe
PID 1696 wrote to memory of 660	1696	AddInProcess32.exe	build2.exe
PID 1696 wrote to memory of 660	1696	AddInProcess32.exe	build2.exe
PID 1696 wrote to memory of 660	1696	AddInProcess32.exe	build2.exe
PID 660 wrote to memory of 240	660	build2.exe	WerFault.exe
PID 660 wrote to memory of 240	660	build2.exe	WerFault.exe
PID 660 wrote to memory of 240	660	build2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\FAD165B5BA7DDB0389733F6B979EAE3E.exe
"C:\Users\Admin\AppData\Local\Temp\FAD165B5BA7DDB0389733F6B979EAE3E.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Roaming\build2.exe
"C:\Users\Admin\AppData\Roaming\build2.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 660 -s 1088
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\build2.exe
MD5
cdb973a5c06fbf67dc48d359239a3b89

SHA1
4562d1c5c799a2d37a4700733fa165e0ba6bfc08

SHA256
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf

SHA512
5836db643318abca0eab5a0f93fc2268afdb5b29c9009d136119182751b6df6eeeb2afba7013dde59acfd85b330742b6fe549aecff3447b66d5ddf8ba2021ea9

Download Submit
C:\Users\Admin\AppData\Roaming\build2.exe
MD5
cdb973a5c06fbf67dc48d359239a3b89

SHA1
4562d1c5c799a2d37a4700733fa165e0ba6bfc08

SHA256
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf

SHA512
5836db643318abca0eab5a0f93fc2268afdb5b29c9009d136119182751b6df6eeeb2afba7013dde59acfd85b330742b6fe549aecff3447b66d5ddf8ba2021ea9

Download Submit
\Users\Admin\AppData\Roaming\build2.exe
MD5
cdb973a5c06fbf67dc48d359239a3b89

SHA1
4562d1c5c799a2d37a4700733fa165e0ba6bfc08

SHA256
630a85d082105029c1f4962acea125d2dd7da277c060ee51544f748a58d0daaf

SHA512
5836db643318abca0eab5a0f93fc2268afdb5b29c9009d136119182751b6df6eeeb2afba7013dde59acfd85b330742b6fe549aecff3447b66d5ddf8ba2021ea9

Download Submit
memory/240-74-0x0000000000000000-mapping.dmp

Download
memory/240-75-0x000007FEFB681000-0x000007FEFB683000-memory.dmp

Filesize
8KB

Download
memory/240-76-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/660-68-0x0000000000000000-mapping.dmp

Download
memory/660-71-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/660-73-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/1696-63-0x00000000004171EA-mapping.dmp

Download
memory/1696-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-66-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1696-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1832-59-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1832-61-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads