redline | 1d857a8ee0c9851c6ddcd0dcc0ac0057e772f152883762ffbf50457b6c463fd5

General

Target

a3111c47c0b8cc5405b80e0fee672213.exe
Size

815KB
MD5

a3111c47c0b8cc5405b80e0fee672213
SHA1

919e1912ade8b9891f6482fd1c2ded0b85361d0d
SHA256

1d857a8ee0c9851c6ddcd0dcc0ac0057e772f152883762ffbf50457b6c463fd5
SHA512

b3976e6e08602ae921c086a1246c46f5fc8a3fc93fefc72d01c75f50d13ec9d7b07f87981af504c9acef52f7b9cff6dbb33ef130398099a755adfddd5639e849

Score

10^/10

redline adscoupongeneratorv1.0.1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

AdsCouponGeneratorV1.0.1

C2

194.233.74.11:35496

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4192-125-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral2/memory/4192-126-0x00000000004169EA-mapping.dmp	family_redline

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/4436-120-0x00000000053F0000-0x00000000053F5000-memory.dmp	CustAttr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
4192	a3111c47c0b8cc5405b80e0fee672213.exe
4192	a3111c47c0b8cc5405b80e0fee672213.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4192	a3111c47c0b8cc5405b80e0fee672213.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1800	4436	a3111c47c0b8cc5405b80e0fee672213.exe	79
PID 4436 wrote to memory of 1800	4436	a3111c47c0b8cc5405b80e0fee672213.exe	79
PID 4436 wrote to memory of 1800	4436	a3111c47c0b8cc5405b80e0fee672213.exe	79
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81
PID 4436 wrote to memory of 4192	4436	a3111c47c0b8cc5405b80e0fee672213.exe	81

C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe
"C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe
  "C:\Users\Admin\AppData\Local\Temp\a3111c47c0b8cc5405b80e0fee672213.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-168-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/1800-163-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/1800-137-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/1800-144-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/1800-156-0x0000000009030000-0x0000000009063000-memory.dmp

Filesize
204KB

Download
memory/1800-148-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/1800-142-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1800-169-0x0000000009550000-0x0000000009551000-memory.dmp

Filesize
4KB

Download
memory/1800-186-0x0000000004903000-0x0000000004904000-memory.dmp

Filesize
4KB

Download
memory/1800-143-0x0000000004902000-0x0000000004903000-memory.dmp

Filesize
4KB

Download
memory/1800-185-0x000000007F710000-0x000000007F711000-memory.dmp

Filesize
4KB

Download
memory/1800-132-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1800-133-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/1800-140-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/1800-139-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/1800-138-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/4192-135-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/4192-147-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4192-136-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4192-134-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/4192-141-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4192-125-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4192-145-0x0000000005500000-0x0000000005B06000-memory.dmp

Filesize
6.0MB

Download
memory/4436-123-0x0000000008550000-0x00000000085AB000-memory.dmp

Filesize
364KB

Download
memory/4436-114-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/4436-122-0x0000000006010000-0x00000000060B1000-memory.dmp

Filesize
644KB

Download
memory/4436-121-0x0000000005460000-0x000000000595E000-memory.dmp

Filesize
5.0MB

Download
memory/4436-120-0x00000000053F0000-0x00000000053F5000-memory.dmp

Filesize
20KB

Download
memory/4436-119-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/4436-118-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4436-117-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/4436-116-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing