redline | 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2

General

Target

8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
Size

377KB
MD5

da3d8058c36f4b3b423deb03b4379414
SHA1

03a817be59608078d08d9442fb16380735016818
SHA256

8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2
SHA512

c292766420203cbfc25427444efe17baf6f424c2891a8413936c3ee968ea088bb7e97212f3e20039f2b647e6984deaa123c91a06dc19c8d08531e04c3c776668

Score

10^/10

redline focus1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Focus1

C2

135.148.139.222:33569

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4052-120-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/4052-121-0x0000000000418E5A-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

description	pid	process	target process
PID 2752 set thread context of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

pid	process
4052	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
4052	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

description pid process

Token: SeDebugPrivilege 4052 8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

description	pid	process
Token: SeDebugPrivilege	4052	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

description	pid	process	target process
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
PID 2752 wrote to memory of 4052	2752	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe	8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe

C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
"C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
C:\Users\Admin\AppData\Local\Temp\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8e4a5d38a79f1f13297db22e68805711767767e159e6f8eec469b842a38caea2.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
memory/2752-116-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2752-117-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/2752-118-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/2752-119-0x00000000054A0000-0x0000000005516000-memory.dmp

Filesize
472KB

Download
memory/2752-114-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4052-125-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/4052-121-0x0000000000418E5A-mapping.dmp

Download
memory/4052-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4052-126-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4052-127-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/4052-128-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4052-129-0x0000000005290000-0x0000000005896000-memory.dmp

Filesize
6.0MB

Download
memory/4052-130-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4052-131-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/4052-132-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/4052-133-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/4052-135-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads