redline | 1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835

General

Target

1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe
Size

669KB
MD5

05ed63df3b41b74852b191998d06892a
SHA1

9ce8a01e8e7e2e314acb3e85414aafcb95cf0066
SHA256

1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835
SHA512

e28802e4fdf803d9e4ff4d8f5696a0582d96cfe107b7198288e2fd6bd828a77e0fa42df6f3a24688c1b92c119bbd80f828458dd6a705ad3eeb613013efe269b7

Score

10^/10

redline mix31.08 discovery infostealer spyware stealer suricata

Malware Config

Extracted

Family

redline

Botnet

mix31.08

C2

185.215.113.15:6043

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1248-121-0x0000000003960000-0x000000000397F000-memory.dmp	family_redline
behavioral1/memory/1248-123-0x0000000003D60000-0x0000000003D7E000-memory.dmp	family_redline

suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

apinesp.exe

pid process

1248 apinesp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1248	apinesp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

apinesp.exe

pid process

1248 apinesp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

apinesp.exe

description pid process

Token: SeDebugPrivilege 1248 apinesp.exe

pid	process
1248	apinesp.exe

description	pid	process
Token: SeDebugPrivilege	1248	apinesp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe

description	pid	process	target process
PID 804 wrote to memory of 1248	804	1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe	apinesp.exe
PID 804 wrote to memory of 1248	804	1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe	apinesp.exe
PID 804 wrote to memory of 1248	804	1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe	apinesp.exe

C:\Users\Admin\AppData\Local\Temp\1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe
"C:\Users\Admin\AppData\Local\Temp\1e863372d23349caed8d6b1c7a4930c785a761b19bd965504cf330c018140835.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exe
apinesp.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exe
MD5
80be2cb2a90aa45b243abf22a04985bd

SHA1
286c7746f725429bfff7994aa79046a114edfce3

SHA256
4da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7

SHA512
112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3

Download Submit
C:\Users\Admin\AppData\Roaming\hyperc\apinesp.exe
MD5
80be2cb2a90aa45b243abf22a04985bd

SHA1
286c7746f725429bfff7994aa79046a114edfce3

SHA256
4da095e0a59cecad3fbfc6fa4f33c00e71edc9fffae041a521552390825732f7

SHA512
112b8c0505a91aeab9d99f74e2d4f73fa4fb939e7f209fe7ba0119f08b8fa6c9792e8f1e3467a0e5694b0c692b8dcff8ae800cab7312ce4fbd7dc60d47fa27c3

Download Submit
memory/804-115-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/804-114-0x00000000008E0000-0x00000000009AE000-memory.dmp

Filesize
824KB

Download
memory/1248-125-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/1248-129-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/1248-119-0x0000000001E00000-0x0000000001F4A000-memory.dmp

Filesize
1.3MB

Download
memory/1248-121-0x0000000003960000-0x000000000397F000-memory.dmp

Filesize
124KB

Download
memory/1248-122-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/1248-123-0x0000000003D60000-0x0000000003D7E000-memory.dmp

Filesize
120KB

Download
memory/1248-124-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/1248-126-0x0000000006562000-0x0000000006563000-memory.dmp

Filesize
4KB

Download
memory/1248-116-0x0000000000000000-mapping.dmp

Download
memory/1248-127-0x0000000006563000-0x0000000006564000-memory.dmp

Filesize
4KB

Download
memory/1248-128-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/1248-120-0x0000000000400000-0x0000000001D9A000-memory.dmp

Filesize
25.6MB

Download
memory/1248-130-0x0000000006564000-0x0000000006566000-memory.dmp

Filesize
8KB

Download
memory/1248-131-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/1248-132-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/1248-133-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/1248-134-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/1248-135-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/1248-136-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/1248-137-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/1248-138-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads