redline | 3d29b2a1a23b12a5134fbe8b17fe5ba0c87549e5671232eb9e842c2a55ad8f2b

General

Target

3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
Size

1.0MB
MD5

033e13c4aca370aeeb8031dbce7bf0b9
SHA1

406100cd169260cecdf31914d055b612f678b00e
SHA256

3d29b2a1a23b12a5134fbe8b17fe5ba0c87549e5671232eb9e842c2a55ad8f2b
SHA512

4aa49c6b70df63bb022b5c7fcd7aef985c503dd21f6994394a4360a98cba4f3283f2dd8e986d9bf23cfe94425286526fff0f5b296a71c364b7a3e05d639ad00f

Score

10^/10

redline 121212 eumx discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

EUMX

C2

tstamore.info:80

Extracted

Family

redline

Botnet

121212

C2

168.119.241.77:60932

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2960-121-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/2960-122-0x000000000041607A-mapping.dmp	family_redline
behavioral2/memory/2960-138-0x0000000005660000-0x0000000005C66000-memory.dmp	family_redline
behavioral2/memory/4004-148-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/4004-149-0x000000000041639E-mapping.dmp	family_redline
behavioral2/memory/4004-163-0x0000000005770000-0x0000000005C6E000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

262124620.exe2095039246.exe2095039246.exe

pid process

3936 262124620.exe
1524 2095039246.exe
4004 2095039246.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
3936	262124620.exe
1524	2095039246.exe
4004	2095039246.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

262124620.exe2095039246.exe

description	pid	process	target process
PID 3936 set thread context of 2960	3936	262124620.exe	AddInProcess32.exe
PID 1524 set thread context of 4004	1524	2095039246.exe	2095039246.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3392 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AddInProcess32.exe2095039246.exe

pid process

2960 AddInProcess32.exe
2960 AddInProcess32.exe
4004 2095039246.exe
4004 2095039246.exe

pid	process
3392	PING.EXE

pid	process
2960	AddInProcess32.exe
2960	AddInProcess32.exe
4004	2095039246.exe
4004	2095039246.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

262124620.exeAddInProcess32.exe2095039246.exe2095039246.exe

description	pid	process
Token: SeDebugPrivilege	3936	262124620.exe
Token: SeDebugPrivilege	2960	AddInProcess32.exe
Token: SeDebugPrivilege	1524	2095039246.exe
Token: SeDebugPrivilege	4004	2095039246.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe262124620.exe2095039246.execmd.exe

description	pid	process	target process
PID 3016 wrote to memory of 3936	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	262124620.exe
PID 3016 wrote to memory of 3936	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	262124620.exe
PID 3016 wrote to memory of 3936	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	262124620.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3936 wrote to memory of 2960	3936	262124620.exe	AddInProcess32.exe
PID 3016 wrote to memory of 1524	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	2095039246.exe
PID 3016 wrote to memory of 1524	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	2095039246.exe
PID 3016 wrote to memory of 1524	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 1524 wrote to memory of 4004	1524	2095039246.exe	2095039246.exe
PID 3016 wrote to memory of 2208	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	cmd.exe
PID 3016 wrote to memory of 2208	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	cmd.exe
PID 3016 wrote to memory of 2208	3016	3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe	cmd.exe
PID 2208 wrote to memory of 3392	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3392	2208	cmd.exe	PING.EXE
PID 2208 wrote to memory of 3392	2208	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe
"C:\Users\Admin\AppData\Local\Temp\3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\262124620.exe
  C:\Users\Admin\AppData\Local\Temp\262124620.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\2095039246.exe
  C:\Users\Admin\AppData\Local\Temp\2095039246.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\2095039246.exe
    C:\Users\Admin\AppData\Local\Temp\2095039246.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\3D29B2A1A23B12A5134FBE8B17FE5BA0C87549E567123.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\PING.EXE
    ping 0
    3⤵
    - Runs ping.exe
    PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2095039246.exe.log

MD5
4a30a8132195c1aa1a62b78676b178d9

SHA1
506e6d99a2ba08c9d3553af30daaaa0fc46ae4be

SHA256
71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20

SHA512
3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09

Download Submit
C:\Users\Admin\AppData\Local\Temp\2095039246.exe

MD5
988a04b95560cf988b7cfa0daa3089ae

SHA1
fd19469731f19ca0d7ea13c13f9a8ad4c22c0bde

SHA256
f38d0cb23b83e4dccb0ae0016b5c94156a93f1c7dfdcf23ffef5c0a982e0f1d1

SHA512
e6c0207d708a985c7cd152a7712f69a607cd31b94a937d01fcf3c8087f8436ddcb011dac3704a0cfa0a41f80b807b93b4cbdf11cebfc02270e6d307ff6dadf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\2095039246.exe

MD5
988a04b95560cf988b7cfa0daa3089ae

SHA1
fd19469731f19ca0d7ea13c13f9a8ad4c22c0bde

SHA256
f38d0cb23b83e4dccb0ae0016b5c94156a93f1c7dfdcf23ffef5c0a982e0f1d1

SHA512
e6c0207d708a985c7cd152a7712f69a607cd31b94a937d01fcf3c8087f8436ddcb011dac3704a0cfa0a41f80b807b93b4cbdf11cebfc02270e6d307ff6dadf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\2095039246.exe

MD5
988a04b95560cf988b7cfa0daa3089ae

SHA1
fd19469731f19ca0d7ea13c13f9a8ad4c22c0bde

SHA256
f38d0cb23b83e4dccb0ae0016b5c94156a93f1c7dfdcf23ffef5c0a982e0f1d1

SHA512
e6c0207d708a985c7cd152a7712f69a607cd31b94a937d01fcf3c8087f8436ddcb011dac3704a0cfa0a41f80b807b93b4cbdf11cebfc02270e6d307ff6dadf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\262124620.exe

MD5
723265e91c12f30cf69e763c04aef64f

SHA1
8a7b75fcc815c5ef119638bbe8265ecbba99c830

SHA256
6c0ee45081a09a77a503269607bb0dfd0ee173243f72224b46c8f7498aa1557d

SHA512
498706512c6fa7ed52f4035e5f67dda412b37829fa0b08c7a0279a5e307a2c6a7d9abe17eb2312549aa90f73efedc40db58b319a98ea2891a6328d2dce163554

Download Submit
C:\Users\Admin\AppData\Local\Temp\262124620.exe

MD5
723265e91c12f30cf69e763c04aef64f

SHA1
8a7b75fcc815c5ef119638bbe8265ecbba99c830

SHA256
6c0ee45081a09a77a503269607bb0dfd0ee173243f72224b46c8f7498aa1557d

SHA512
498706512c6fa7ed52f4035e5f67dda412b37829fa0b08c7a0279a5e307a2c6a7d9abe17eb2312549aa90f73efedc40db58b319a98ea2891a6328d2dce163554

Download Submit
memory/1524-147-0x00000000082F0000-0x00000000082F7000-memory.dmp

Filesize
28KB

Download
memory/1524-134-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/1524-146-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/1524-145-0x0000000007B30000-0x0000000007B31000-memory.dmp

Filesize
4KB

Download
memory/1524-128-0x0000000000000000-mapping.dmp

Download
memory/1524-139-0x0000000007850000-0x0000000007D4E000-memory.dmp

Filesize
5.0MB

Download
memory/1524-136-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/1524-135-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/1524-132-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2208-160-0x0000000000000000-mapping.dmp

Download
memory/2960-130-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2960-127-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2960-125-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/2960-137-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/2960-138-0x0000000005660000-0x0000000005C66000-memory.dmp

Filesize
6.0MB

Download
memory/2960-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2960-142-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/2960-143-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/2960-144-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/2960-122-0x000000000041607A-mapping.dmp

Download
memory/2960-126-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3392-161-0x0000000000000000-mapping.dmp

Download
memory/3936-119-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3936-117-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3936-114-0x0000000000000000-mapping.dmp

Download
memory/3936-120-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

Filesize
36KB

Download
memory/4004-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4004-149-0x000000000041639E-mapping.dmp

Download
memory/4004-159-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/4004-163-0x0000000005770000-0x0000000005C6E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads