redline | acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0

General

Target

ce25050ecae70706d0e7b33d5304ab6b.exe
Size

659KB
MD5

ce25050ecae70706d0e7b33d5304ab6b
SHA1

f1cb237e6daa21a01f9a6492495b8370625ef9f5
SHA256

acd3e84a50002f93f4f6f3f98b4f0ec25e60889df8e0f15bfff55ddf089cb5c0
SHA512

2be1cef57dff89191d7a4cb1b7b93a6036f6e7a2421568e318bf0103230664fbc690a0acb5c4708e9f7a7ba82d85559f0c6fe014c0dc1f8501d6b96099e3db2d

Score

10^/10

redline mix 08.06 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

MIX 08.06

C2

185.215.113.17:18597

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/196-122-0x00000000022B0000-0x00000000022CA000-memory.dmp	family_redline
behavioral2/memory/196-124-0x00000000024A0000-0x00000000024B9000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

edspolishpp.exe

pid process

196 edspolishpp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
196	edspolishpp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ce25050ecae70706d0e7b33d5304ab6b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ce25050ecae70706d0e7b33d5304ab6b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ce25050ecae70706d0e7b33d5304ab6b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

edspolishpp.exe

pid process

196 edspolishpp.exe
196 edspolishpp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

edspolishpp.exe

description pid process

Token: SeDebugPrivilege 196 edspolishpp.exe

pid	process
196	edspolishpp.exe
196	edspolishpp.exe

description	pid	process
Token: SeDebugPrivilege	196	edspolishpp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ce25050ecae70706d0e7b33d5304ab6b.exe

description	pid	process	target process
PID 3932 wrote to memory of 196	3932	ce25050ecae70706d0e7b33d5304ab6b.exe	edspolishpp.exe
PID 3932 wrote to memory of 196	3932	ce25050ecae70706d0e7b33d5304ab6b.exe	edspolishpp.exe
PID 3932 wrote to memory of 196	3932	ce25050ecae70706d0e7b33d5304ab6b.exe	edspolishpp.exe

C:\Users\Admin\AppData\Local\Temp\ce25050ecae70706d0e7b33d5304ab6b.exe
"C:\Users\Admin\AppData\Local\Temp\ce25050ecae70706d0e7b33d5304ab6b.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
edspolishpp.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
b5e7e1fd00e34e49999f5b60286cd7aa

SHA1
3321f734fcf156bca17c7faadc7fe863a44fe849

SHA256
ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe

SHA512
1e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c

Download Submit
C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
MD5
b5e7e1fd00e34e49999f5b60286cd7aa

SHA1
3321f734fcf156bca17c7faadc7fe863a44fe849

SHA256
ec3c9e1878a43c6f5d7c0c5fd98ba61ca5e4d4ceae6ce3c7693e4c3a3c8283fe

SHA512
1e01e673aa1fa59a2ce5ddc9148ba15041dee4f00a83021bda32a9a60e27131098f57a69e27b306706e63e2ed0a96fe7d8c765942a3119d718c7afdc0f802e8c

Download Submit
memory/196-124-0x00000000024A0000-0x00000000024B9000-memory.dmp

Filesize
100KB

Download
memory/196-127-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/196-136-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/196-121-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/196-120-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/196-119-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/196-122-0x00000000022B0000-0x00000000022CA000-memory.dmp

Filesize
104KB

Download
memory/196-123-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/196-135-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/196-125-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/196-126-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/196-116-0x0000000000000000-mapping.dmp

Download
memory/196-128-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/196-129-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/196-130-0x0000000004BB4000-0x0000000004BB6000-memory.dmp

Filesize
8KB

Download
memory/196-131-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/196-132-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/196-133-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/196-134-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/3932-114-0x0000000002270000-0x000000000233E000-memory.dmp

Filesize
824KB

Download
memory/3932-115-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads