redline | 1d857a8ee0c9851c6ddcd0dcc0ac0057e772f152883762ffbf50457b6c463fd5

General

Target

a3111c47c0b8cc5405b80e0fee672213.exe
Size

815KB
MD5

a3111c47c0b8cc5405b80e0fee672213
SHA1

919e1912ade8b9891f6482fd1c2ded0b85361d0d
SHA256

1d857a8ee0c9851c6ddcd0dcc0ac0057e772f152883762ffbf50457b6c463fd5
SHA512

b3976e6e08602ae921c086a1246c46f5fc8a3fc93fefc72d01c75f50d13ec9d7b07f87981af504c9acef52f7b9cff6dbb33ef130398099a755adfddd5639e849

Score

10^/10

redline adscoupongeneratorv1.0.1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AdsCouponGeneratorV1.0.1

C2

194.233.74.11:35496

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4192-125-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/4192-126-0x00000000004169EA-mapping.dmp	family_redline

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4436-120-0x00000000053F0000-0x00000000053F5000-memory.dmp	CustAttr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

a3111c47c0b8cc5405b80e0fee672213.exe

description pid process target process

PID 4436 set thread context of 4192 4436 a3111c47c0b8cc5405b80e0fee672213.exe a3111c47c0b8cc5405b80e0fee672213.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exea3111c47c0b8cc5405b80e0fee672213.exe

pid process

1800 powershell.exe
1800 powershell.exe
1800 powershell.exe
4192 a3111c47c0b8cc5405b80e0fee672213.exe
4192 a3111c47c0b8cc5405b80e0fee672213.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exea3111c47c0b8cc5405b80e0fee672213.exe

description pid process

Token: SeDebugPrivilege 1800 powershell.exe
Token: SeDebugPrivilege 4192 a3111c47c0b8cc5405b80e0fee672213.exe

description	pid	process	target process
PID 4436 set thread context of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe

pid	process
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
4192	a3111c47c0b8cc5405b80e0fee672213.exe
4192	a3111c47c0b8cc5405b80e0fee672213.exe

description	pid	process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4192	a3111c47c0b8cc5405b80e0fee672213.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a3111c47c0b8cc5405b80e0fee672213.exe

description	pid	process	target process
PID 4436 wrote to memory of 1800	4436	a3111c47c0b8cc5405b80e0fee672213.exe	powershell.exe
PID 4436 wrote to memory of 1800	4436	a3111c47c0b8cc5405b80e0fee672213.exe	powershell.exe
PID 4436 wrote to memory of 1800	4436	a3111c47c0b8cc5405b80e0fee672213.exe	powershell.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	a3111c47c0b8cc5405b80e0fee672213.exe

C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe
"C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe
"C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a3111c47c0b8cc5405b80e0fee672213.exe.log
MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
memory/1800-168-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/1800-163-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/1800-124-0x0000000000000000-mapping.dmp

Download
memory/1800-137-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/1800-144-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/1800-156-0x0000000009030000-0x0000000009063000-memory.dmp

Filesize
204KB

Download
memory/1800-148-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/1800-142-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1800-169-0x0000000009550000-0x0000000009551000-memory.dmp

Filesize
4KB

Download
memory/1800-186-0x0000000004903000-0x0000000004904000-memory.dmp

Filesize
4KB

Download
memory/1800-143-0x0000000004902000-0x0000000004903000-memory.dmp

Filesize
4KB

Download
memory/1800-185-0x000000007F710000-0x000000007F711000-memory.dmp

Filesize
4KB

Download
memory/1800-132-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1800-133-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/1800-140-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/1800-139-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1800-138-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/4192-135-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/4192-147-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4192-136-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4192-134-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/4192-141-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4192-126-0x00000000004169EA-mapping.dmp

Download
memory/4192-125-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4192-145-0x0000000005500000-0x0000000005B06000-memory.dmp

Filesize
6.0MB

Download
memory/4436-123-0x0000000008550000-0x00000000085AB000-memory.dmp

Filesize
364KB

Download
memory/4436-114-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4436-122-0x0000000006010000-0x00000000060B1000-memory.dmp

Filesize
644KB

Download
memory/4436-121-0x0000000005460000-0x000000000595E000-memory.dmp

Filesize
5.0MB

Download
memory/4436-120-0x00000000053F0000-0x00000000053F5000-memory.dmp

Filesize
20KB

Download
memory/4436-119-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/4436-118-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4436-117-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/4436-116-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads