redline | 65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770

General

Target

34f3000197e221ad89885926051f8e8f.exe
Size

440KB
MD5

34f3000197e221ad89885926051f8e8f
SHA1

cf1f2467b58b9c3ca0fddef9c1e628235cec0378
SHA256

65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
SHA512

499844dbf3c2593114249d9ad78edf5e0f8d4318d5ce5e998da6235bcec119ce877784c617844c4b185a548ec54d3fb8896931c0f236c863ec5af1676aa98ab9

Score

10^/10

redline @yungwoods discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@yungwoods

C2

51.254.69.209:48987

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3740-168-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/3740-169-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3740-179-0x0000000004E90000-0x0000000005496000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

34f3000197e221ad89885926051f8e8f.exe

description pid process target process

PID 2372 set thread context of 3740 2372 34f3000197e221ad89885926051f8e8f.exe 34f3000197e221ad89885926051f8e8f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2372 set thread context of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exe34f3000197e221ad89885926051f8e8f.exe34f3000197e221ad89885926051f8e8f.exe

pid	process
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
864	powershell.exe
864	powershell.exe
864	powershell.exe
2372	34f3000197e221ad89885926051f8e8f.exe
2372	34f3000197e221ad89885926051f8e8f.exe
2372	34f3000197e221ad89885926051f8e8f.exe
2372	34f3000197e221ad89885926051f8e8f.exe
2372	34f3000197e221ad89885926051f8e8f.exe
2372	34f3000197e221ad89885926051f8e8f.exe
3740	34f3000197e221ad89885926051f8e8f.exe
3740	34f3000197e221ad89885926051f8e8f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exe34f3000197e221ad89885926051f8e8f.exe34f3000197e221ad89885926051f8e8f.exe

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2372	34f3000197e221ad89885926051f8e8f.exe
Token: SeDebugPrivilege	3740	34f3000197e221ad89885926051f8e8f.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

34f3000197e221ad89885926051f8e8f.exe

C:\Users\Admin\AppData\Local\Temp\34f3000197e221ad89885926051f8e8f.exe
"C:\Users\Admin\AppData\Local\Temp\34f3000197e221ad89885926051f8e8f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 15
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Users\Admin\AppData\Local\Temp\34f3000197e221ad89885926051f8e8f.exe
  C:\Users\Admin\AppData\Local\Temp\34f3000197e221ad89885926051f8e8f.exe
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\34f3000197e221ad89885926051f8e8f.exe
  C:\Users\Admin\AppData\Local\Temp\34f3000197e221ad89885926051f8e8f.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\34f3000197e221ad89885926051f8e8f.exe.log

MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
b42b8394f52b01b93879625688c3d79d

SHA1
3ed5877ab13e7655482c19e8b7511f8b2bfcdbb3

SHA256
b7b0a0ab5e777b74a8d7ec285804091eb3a4c71fcc2c57cddfa8541d05409cdd

SHA512
86357e54c29ee9c107b5655d457121f35117565fae4fdd018e56079eb7ca012e4afe0a5d5562bc2996b932b02450ad0fbb7f27047315b524138a0fe08c4f79c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0312cc16855dd82edb254af46ee59b44

SHA1
1921ef4196d621afe0a1b4499d1bdef3cbbd1b2c

SHA256
4f63e2ab9390ccb1cc3fe9cfa6cf04994209f191a593dce34b5410d3b8d8edae

SHA512
c7f791d920da5554d473cfcd8fdda12505ad39e81a98d6669eae5b539c2f10135becc35d2d11c564ca72a4a1cdea5dca635e9e78cde16552c9e7eab77a257453

Download Submit
memory/864-160-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/864-178-0x0000000007383000-0x0000000007384000-memory.dmp

Filesize
4KB

Download
memory/864-142-0x0000000000000000-mapping.dmp

Download
memory/864-148-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/2372-120-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2372-119-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/2372-167-0x0000000006FC0000-0x0000000006FD9000-memory.dmp

Filesize
100KB

Download
memory/2372-166-0x0000000004FF0000-0x000000000502A000-memory.dmp

Filesize
232KB

Download
memory/2372-115-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2372-118-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/2372-117-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2460-128-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/2460-130-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/2460-134-0x0000000008700000-0x0000000008701000-memory.dmp

Filesize
4KB

Download
memory/2460-139-0x0000000009C70000-0x0000000009C71000-memory.dmp

Filesize
4KB

Download
memory/2460-140-0x0000000009390000-0x0000000009391000-memory.dmp

Filesize
4KB

Download
memory/2460-132-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/2460-131-0x0000000006EC2000-0x0000000006EC3000-memory.dmp

Filesize
4KB

Download
memory/2460-124-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2460-146-0x0000000006EC3000-0x0000000006EC4000-memory.dmp

Filesize
4KB

Download
memory/2460-129-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/2460-127-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/2460-126-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/2460-125-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2460-133-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/2460-121-0x0000000000000000-mapping.dmp

Download
memory/3740-168-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3740-173-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3740-174-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3740-175-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3740-176-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/3740-177-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3740-179-0x0000000004E90000-0x0000000005496000-memory.dmp

Filesize
6.0MB

Download
memory/3740-169-0x000000000041C5F2-mapping.dmp

Download
memory/3740-180-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/3740-181-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3740-185-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 2372 wrote to memory of 2460	2372	34f3000197e221ad89885926051f8e8f.exe	powershell.exe
PID 2372 wrote to memory of 2460	2372	34f3000197e221ad89885926051f8e8f.exe	powershell.exe
PID 2372 wrote to memory of 2460	2372	34f3000197e221ad89885926051f8e8f.exe	powershell.exe
PID 2372 wrote to memory of 864	2372	34f3000197e221ad89885926051f8e8f.exe	powershell.exe
PID 2372 wrote to memory of 864	2372	34f3000197e221ad89885926051f8e8f.exe	powershell.exe
PID 2372 wrote to memory of 864	2372	34f3000197e221ad89885926051f8e8f.exe	powershell.exe
PID 2372 wrote to memory of 1664	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 1664	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 1664	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe
PID 2372 wrote to memory of 3740	2372	34f3000197e221ad89885926051f8e8f.exe	34f3000197e221ad89885926051f8e8f.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads