redline | 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

General

Target

88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe
Size

719KB
MD5

0068f1a9d11db46097fae660005c1228
SHA1

1a7fc24cccaa5bfeae87446a22605a0a475bb409
SHA256

88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
SHA512

75525095421bf3866e4f465ed2ed89759230248ec08064865b6cf0435c254586960ee8c957a06a16a5c4693bd386338ec7554e820d94045674f172c141938a36

Score

10^/10

redline 1.0.2.0 infostealer

Malware Config

Extracted

Family

redline

Botnet

1.0.2.0

C2

185.183.32.227:51498

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1216-138-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1216-139-0x000000000041B23E-mapping.dmp	family_redline
behavioral1/memory/1216-150-0x0000000005420000-0x0000000005A26000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

Madder.exeMadder.exe

pid process

4528 Madder.exe
1216 Madder.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Madder.exe

description pid process target process

PID 4528 set thread context of 1216 4528 Madder.exe Madder.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4608 powershell.exe
4608 powershell.exe
4608 powershell.exe
2296 powershell.exe
2296 powershell.exe
2296 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4608 powershell.exe
Token: SeDebugPrivilege 2296 powershell.exe

pid	process
4528	Madder.exe
1216	Madder.exe

description	pid	process	target process
PID 4528 set thread context of 1216	4528	Madder.exe	Madder.exe

pid	process
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.execmd.execmd.exeMadder.exe

description	pid	process	target process
PID 2120 wrote to memory of 4464	2120	88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe	cmd.exe
PID 2120 wrote to memory of 4464	2120	88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe	cmd.exe
PID 2120 wrote to memory of 4464	2120	88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe	cmd.exe
PID 2120 wrote to memory of 4404	2120	88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe	cmd.exe
PID 2120 wrote to memory of 4404	2120	88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe	cmd.exe
PID 2120 wrote to memory of 4404	2120	88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe	cmd.exe
PID 4404 wrote to memory of 4528	4404	cmd.exe	Madder.exe
PID 4404 wrote to memory of 4528	4404	cmd.exe	Madder.exe
PID 4404 wrote to memory of 4528	4404	cmd.exe	Madder.exe
PID 4464 wrote to memory of 4608	4464	cmd.exe	powershell.exe
PID 4464 wrote to memory of 4608	4464	cmd.exe	powershell.exe
PID 4464 wrote to memory of 4608	4464	cmd.exe	powershell.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4528 wrote to memory of 1216	4528	Madder.exe	Madder.exe
PID 4464 wrote to memory of 2296	4464	cmd.exe	powershell.exe
PID 4464 wrote to memory of 2296	4464	cmd.exe	powershell.exe
PID 4464 wrote to memory of 2296	4464	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe
"C:\Users\Admin\AppData\Local\Temp\88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Madder.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
61ed5182db7029600cbe33da9414af90

SHA1
29996c2fb760e6f957ebe358901e40e55a70c907

SHA256
a85b10fed0ea8ec43de44f3e35f093afc767cdb0369500b2b3d4d72313817353

SHA512
2029d6a8c81cb87c1e737c64670cc2963a17d9fec438d793c6ca33462d7c40bb00bf0b3c172c4fc4ee7e997ce004a06f25b283f89685fd222be871d29a5fb43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
memory/1216-151-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1216-146-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1216-139-0x000000000041B23E-mapping.dmp

Download
memory/1216-144-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/1216-147-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/1216-150-0x0000000005420000-0x0000000005A26000-memory.dmp

Filesize
6.0MB

Download
memory/1216-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2296-387-0x0000000000000000-mapping.dmp

Download
memory/2296-425-0x0000000007303000-0x0000000007304000-memory.dmp

Filesize
4KB

Download
memory/2296-424-0x000000007F8E0000-0x000000007F8E1000-memory.dmp

Filesize
4KB

Download
memory/2296-394-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/2296-395-0x0000000007302000-0x0000000007303000-memory.dmp

Filesize
4KB

Download
memory/4404-116-0x0000000000000000-mapping.dmp

Download
memory/4464-115-0x0000000000000000-mapping.dmp

Download
memory/4528-127-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4528-131-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/4528-117-0x0000000000000000-mapping.dmp

Download
memory/4528-135-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/4528-123-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4528-130-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4608-158-0x00000000091A0000-0x00000000091D3000-memory.dmp

Filesize
204KB

Download
memory/4608-170-0x000000007F3F0000-0x000000007F3F1000-memory.dmp

Filesize
4KB

Download
memory/4608-141-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/4608-133-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/4608-148-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/4608-129-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/4608-128-0x0000000002FC2000-0x0000000002FC3000-memory.dmp

Filesize
4KB

Download
memory/4608-136-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4608-165-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/4608-132-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/4608-171-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/4608-172-0x0000000002FC3000-0x0000000002FC4000-memory.dmp

Filesize
4KB

Download
memory/4608-173-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/4608-126-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/4608-125-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/4608-134-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/4608-121-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/4608-122-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/4608-120-0x0000000000000000-mapping.dmp

Download
memory/4608-137-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing