redline | fe28808f8b07b484ff987a1ccc2f187857139e84d58dfbbb8004ce29f21bf1ea

General

Target

9901d90330c9d140262d6741a7ba3de7.exe
Size

671KB
MD5

9901d90330c9d140262d6741a7ba3de7
SHA1

c68de5eaaf9e9e34acaac51b83c9ddc36798dbd8
SHA256

fe28808f8b07b484ff987a1ccc2f187857139e84d58dfbbb8004ce29f21bf1ea
SHA512

29623777cdf0d78e6193f31cdff84165ec1958683c487c550314721952d9ec943f7a09fa405e6b518e9443dc1d47cdba7fb9dc2a324994020c58f587132fd1f6

Score

10^/10

redline arind1 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

Arind1

C2

195.2.84.82:56801

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5000-122-0x0000000000416392-mapping.dmp	family_redline
behavioral2/memory/5000-121-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

9901d90330c9d140262d6741a7ba3de7.exe

description pid process target process

PID 4432 set thread context of 5000 4432 9901d90330c9d140262d6741a7ba3de7.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

5000 AddInProcess32.exe
5000 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9901d90330c9d140262d6741a7ba3de7.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 4432 9901d90330c9d140262d6741a7ba3de7.exe
Token: SeDebugPrivilege 5000 AddInProcess32.exe

description	pid	process	target process
PID 4432 set thread context of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe

pid	process
5000	AddInProcess32.exe
5000	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	4432	9901d90330c9d140262d6741a7ba3de7.exe
Token: SeDebugPrivilege	5000	AddInProcess32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9901d90330c9d140262d6741a7ba3de7.exe

description	pid	process	target process
PID 4432 wrote to memory of 4984	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 4984	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 4984	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 4992	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 4992	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 4992	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe
PID 4432 wrote to memory of 5000	4432	9901d90330c9d140262d6741a7ba3de7.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\9901d90330c9d140262d6741a7ba3de7.exe
"C:\Users\Admin\AppData\Local\Temp\9901d90330c9d140262d6741a7ba3de7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4432-125-0x00000000056C0000-0x0000000005BBE000-memory.dmp

Filesize
5.0MB

Download
memory/4432-119-0x00000000059D0000-0x00000000059E6000-memory.dmp

Filesize
88KB

Download
memory/4432-114-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4432-118-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4432-116-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/4432-120-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/4432-117-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/5000-127-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/5000-122-0x0000000000416392-mapping.dmp

Download
memory/5000-126-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/5000-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5000-128-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/5000-129-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/5000-130-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/5000-131-0x0000000004E40000-0x0000000005446000-memory.dmp

Filesize
6.0MB

Download
memory/5000-134-0x0000000006970000-0x0000000006971000-memory.dmp

Filesize
4KB

Download
memory/5000-136-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing