redline | a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4

General

Target

a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe
Size

1.8MB
MD5

26ac6f38b111522b7802b03d1fa93e5f
SHA1

a3f0455e91db6a4f4dea25752eb0074917f50d33
SHA256

a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4
SHA512

6c809cb685b29621442329c6482882406e6609516cdc4834dad3e3409c8f2a06cbc48b91a2a34d66b0e49ae9180f9ffc1a9a9312479f8694fdc7eb1ca0710e8e

Score

10^/10

redline new1 infostealer

Malware Config

Extracted

Family

redline

Botnet

new1

C2

185.180.220.105:11915

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1284-119-0x0000000000750000-0x00000000007A6000-memory.dmp	family_redline
behavioral1/memory/1284-124-0x000000000076C5F2-mapping.dmp	family_redline
behavioral1/memory/1284-134-0x0000000004CC0000-0x00000000051BE000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

Processes:

foto.exe

pid process

364 foto.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

foto.exe

description pid process target process

PID 364 set thread context of 1284 364 foto.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
364	foto.exe

description	pid	process	target process
PID 364 set thread context of 1284	364	foto.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exefoto.exe

description	pid	process	target process
PID 740 wrote to memory of 364	740	a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe	foto.exe
PID 740 wrote to memory of 364	740	a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe	foto.exe
PID 740 wrote to memory of 364	740	a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe	foto.exe
PID 364 wrote to memory of 1284	364	foto.exe	RegSvcs.exe
PID 364 wrote to memory of 1284	364	foto.exe	RegSvcs.exe
PID 364 wrote to memory of 1284	364	foto.exe	RegSvcs.exe
PID 364 wrote to memory of 1284	364	foto.exe	RegSvcs.exe
PID 364 wrote to memory of 1284	364	foto.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe
"C:\Users\Admin\AppData\Local\Temp\a93c39e88748ae1c58bc46449d76159b958d2c0233f6709d13ea71f8f13a42a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
MD5
4da64a00d7ff89c04d675f50c32ee458

SHA1
505f39f4039bf5cba0009ea7b7d856f57d31a592

SHA256
610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3

SHA512
d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\foto.exe
MD5
4da64a00d7ff89c04d675f50c32ee458

SHA1
505f39f4039bf5cba0009ea7b7d856f57d31a592

SHA256
610c668380bad93964320bea5957b4c08861e277abc78230a770ad45194905b3

SHA512
d38b6c1aea8763bdfc4e5cbaab8d65a74cf3bdf4d4230efc7005416a58f83742df46b213b91a83967aeb6d9dfccaa038adbf6001569e520b26373fa8f00ab9f4

Download Submit
memory/364-116-0x0000000000000000-mapping.dmp

Download
memory/1284-127-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1284-124-0x000000000076C5F2-mapping.dmp

Download
memory/1284-125-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1284-119-0x0000000000750000-0x00000000007A6000-memory.dmp

Filesize
344KB

Download
memory/1284-128-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/1284-129-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1284-130-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1284-131-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/1284-132-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1284-133-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/1284-134-0x0000000004CC0000-0x00000000051BE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing