redline | 770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7

General

Target

96c2ef023febbd4e3773bbb3a59e54c3.exe
Size

417KB
MD5

96c2ef023febbd4e3773bbb3a59e54c3
SHA1

8e20dc3097d3380f1b2c567a05b3a7d8dae713bf
SHA256

770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7
SHA512

f5e45c4c6f09c1d1d40832b1611fbff8ba822964cdb40e397254ae143a44f8c822ca7b5dcbdd7a3ddbd5f1b383fd7c1db2233ac9301fbc58f3c75f280abb9370

Score

10^/10

redline 7w06zphy discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

7W06ZPHY

C2

188.34.176.164:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1688-68-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1688-69-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1688-70-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

96c2ef023febbd4e3773bbb3a59e54c3.exe

description pid process target process

PID 840 set thread context of 1688 840 96c2ef023febbd4e3773bbb3a59e54c3.exe 96c2ef023febbd4e3773bbb3a59e54c3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 840 set thread context of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exe96c2ef023febbd4e3773bbb3a59e54c3.exe96c2ef023febbd4e3773bbb3a59e54c3.exe

pid	process
1616	powershell.exe
572	powershell.exe
840	96c2ef023febbd4e3773bbb3a59e54c3.exe
840	96c2ef023febbd4e3773bbb3a59e54c3.exe
840	96c2ef023febbd4e3773bbb3a59e54c3.exe
840	96c2ef023febbd4e3773bbb3a59e54c3.exe
840	96c2ef023febbd4e3773bbb3a59e54c3.exe
840	96c2ef023febbd4e3773bbb3a59e54c3.exe
1688	96c2ef023febbd4e3773bbb3a59e54c3.exe
1688	96c2ef023febbd4e3773bbb3a59e54c3.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

powershell.exepowershell.exe96c2ef023febbd4e3773bbb3a59e54c3.exe96c2ef023febbd4e3773bbb3a59e54c3.exe

description	pid	process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeIncreaseQuotaPrivilege	1616	powershell.exe
Token: SeSecurityPrivilege	1616	powershell.exe
Token: SeTakeOwnershipPrivilege	1616	powershell.exe
Token: SeLoadDriverPrivilege	1616	powershell.exe
Token: SeSystemProfilePrivilege	1616	powershell.exe
Token: SeSystemtimePrivilege	1616	powershell.exe
Token: SeProfSingleProcessPrivilege	1616	powershell.exe
Token: SeIncBasePriorityPrivilege	1616	powershell.exe
Token: SeCreatePagefilePrivilege	1616	powershell.exe
Token: SeBackupPrivilege	1616	powershell.exe
Token: SeRestorePrivilege	1616	powershell.exe
Token: SeShutdownPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeSystemEnvironmentPrivilege	1616	powershell.exe
Token: SeRemoteShutdownPrivilege	1616	powershell.exe
Token: SeUndockPrivilege	1616	powershell.exe
Token: SeManageVolumePrivilege	1616	powershell.exe
Token: 33	1616	powershell.exe
Token: 34	1616	powershell.exe
Token: 35	1616	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeIncreaseQuotaPrivilege	572	powershell.exe
Token: SeSecurityPrivilege	572	powershell.exe
Token: SeTakeOwnershipPrivilege	572	powershell.exe
Token: SeLoadDriverPrivilege	572	powershell.exe
Token: SeSystemProfilePrivilege	572	powershell.exe
Token: SeSystemtimePrivilege	572	powershell.exe
Token: SeProfSingleProcessPrivilege	572	powershell.exe
Token: SeIncBasePriorityPrivilege	572	powershell.exe
Token: SeCreatePagefilePrivilege	572	powershell.exe
Token: SeBackupPrivilege	572	powershell.exe
Token: SeRestorePrivilege	572	powershell.exe
Token: SeShutdownPrivilege	572	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeSystemEnvironmentPrivilege	572	powershell.exe
Token: SeRemoteShutdownPrivilege	572	powershell.exe
Token: SeUndockPrivilege	572	powershell.exe
Token: SeManageVolumePrivilege	572	powershell.exe
Token: 33	572	powershell.exe
Token: 34	572	powershell.exe
Token: 35	572	powershell.exe
Token: SeDebugPrivilege	840	96c2ef023febbd4e3773bbb3a59e54c3.exe
Token: SeDebugPrivilege	1688	96c2ef023febbd4e3773bbb3a59e54c3.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

96c2ef023febbd4e3773bbb3a59e54c3.exe

C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
"C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
532597be8d2ed77aba207932f1891de3

SHA1
f27cbd1e5ca77707f548575234766859c7291af7

SHA256
fb96edee419c7eda5dc5d511e9fc6da66e5e08b7ebb814ee254bce377f6a4b2f

SHA512
2cbf9d92a260a11dd600e5a22b50a8b7bf87d8586431780310a7aa2e2766ef791385eea4ff0c6cee7a502c94ad24cd370b6cd11f5bc3db4ea145d8bca8025464

Download Submit
memory/572-60-0x0000000000000000-mapping.dmp

Download
memory/572-65-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/572-64-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/572-63-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/840-67-0x0000000000730000-0x0000000000749000-memory.dmp

Filesize
100KB

Download
memory/840-66-0x0000000004AC0000-0x0000000004AF2000-memory.dmp

Filesize
200KB

Download
memory/840-53-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/840-72-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1616-59-0x0000000001E52000-0x0000000001E54000-memory.dmp

Filesize
8KB

Download
memory/1616-57-0x0000000001E50000-0x0000000001E51000-memory.dmp

Filesize
4KB

Download
memory/1616-58-0x0000000001E51000-0x0000000001E52000-memory.dmp

Filesize
4KB

Download
memory/1616-56-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1616-55-0x0000000000000000-mapping.dmp

Download
memory/1688-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1688-69-0x000000000041C5D6-mapping.dmp

Download
memory/1688-70-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1688-73-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 840 wrote to memory of 1616	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 1616	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 1616	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 1616	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 572	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 572	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 572	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 572	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 840 wrote to memory of 1680	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1680	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1680	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1680	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 840 wrote to memory of 1688	840	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads