redline | 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

General

Target

0068f1a9d11db46097fae660005c1228.exe
Size

719KB
MD5

0068f1a9d11db46097fae660005c1228
SHA1

1a7fc24cccaa5bfeae87446a22605a0a475bb409
SHA256

88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
SHA512

75525095421bf3866e4f465ed2ed89759230248ec08064865b6cf0435c254586960ee8c957a06a16a5c4693bd386338ec7554e820d94045674f172c141938a36

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/644-233-0x000000000041B23E-mapping.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Madder.exeMadder.exeMadder.exe

pid process

1504 Madder.exe
2600 Madder.exe
644 Madder.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Madder.exe

description pid process target process

PID 1504 set thread context of 644 1504 Madder.exe Madder.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

936 powershell.exe
936 powershell.exe
936 powershell.exe
1668 powershell.exe
1668 powershell.exe
1668 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 936 powershell.exe
Token: SeDebugPrivilege 1668 powershell.exe

pid	process
1504	Madder.exe
2600	Madder.exe
644	Madder.exe

description	pid	process	target process
PID 1504 set thread context of 644	1504	Madder.exe	Madder.exe

pid	process
936	powershell.exe
936	powershell.exe
936	powershell.exe
1668	powershell.exe
1668	powershell.exe
1668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

0068f1a9d11db46097fae660005c1228.execmd.execmd.exeMadder.exe

description	pid	process	target process
PID 2752 wrote to memory of 904	2752	0068f1a9d11db46097fae660005c1228.exe	cmd.exe
PID 2752 wrote to memory of 904	2752	0068f1a9d11db46097fae660005c1228.exe	cmd.exe
PID 2752 wrote to memory of 904	2752	0068f1a9d11db46097fae660005c1228.exe	cmd.exe
PID 2752 wrote to memory of 1000	2752	0068f1a9d11db46097fae660005c1228.exe	cmd.exe
PID 2752 wrote to memory of 1000	2752	0068f1a9d11db46097fae660005c1228.exe	cmd.exe
PID 2752 wrote to memory of 1000	2752	0068f1a9d11db46097fae660005c1228.exe	cmd.exe
PID 1000 wrote to memory of 1504	1000	cmd.exe	Madder.exe
PID 1000 wrote to memory of 1504	1000	cmd.exe	Madder.exe
PID 1000 wrote to memory of 1504	1000	cmd.exe	Madder.exe
PID 904 wrote to memory of 936	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 936	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 936	904	cmd.exe	powershell.exe
PID 1504 wrote to memory of 2600	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 2600	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 2600	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 1504 wrote to memory of 644	1504	Madder.exe	Madder.exe
PID 904 wrote to memory of 1668	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1668	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1668	904	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0068f1a9d11db46097fae660005c1228.exe
"C:\Users\Admin\AppData\Local\Temp\0068f1a9d11db46097fae660005c1228.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Madder.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
014f02e0629e6e2af3fe16c85f69ac52

SHA1
e3bf288afd72a934f58e5eccad419ba85149110d

SHA256
c71ee9a20ca4c2a007fb2983393d79fd9dc2bb375130512b102fa08230ee06df

SHA512
9225166458d298540afa6b5ce29ef5887d6217f8cc4773a98e6af7ee9e6572885983a79fada6df848ae12095631369ca28cb130baa8095bfa2c7ae17e4d9158a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
memory/644-242-0x00000000052E0000-0x00000000058E6000-memory.dmp

Filesize
6.0MB

Download
memory/644-233-0x000000000041B23E-mapping.dmp

Download
memory/904-115-0x0000000000000000-mapping.dmp

Download
memory/936-136-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/936-122-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/936-127-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/936-119-0x0000000000000000-mapping.dmp

Download
memory/936-129-0x00000000068A2000-0x00000000068A3000-memory.dmp

Filesize
4KB

Download
memory/936-121-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/936-126-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/936-132-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/936-133-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/936-134-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/936-163-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/936-125-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/936-137-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/936-138-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/936-140-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/936-162-0x00000000068A3000-0x00000000068A4000-memory.dmp

Filesize
4KB

Download
memory/936-148-0x0000000008F50000-0x0000000008F83000-memory.dmp

Filesize
204KB

Download
memory/936-155-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download
memory/936-156-0x000000007EDA0000-0x000000007EDA1000-memory.dmp

Filesize
4KB

Download
memory/936-161-0x0000000009150000-0x0000000009151000-memory.dmp

Filesize
4KB

Download
memory/1000-116-0x0000000000000000-mapping.dmp

Download
memory/1504-123-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1504-135-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/1504-131-0x0000000005010000-0x0000000005086000-memory.dmp

Filesize
472KB

Download
memory/1504-130-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/1504-128-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1504-117-0x0000000000000000-mapping.dmp

Download
memory/1668-388-0x0000000000000000-mapping.dmp

Download
memory/1668-397-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1668-399-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/1668-494-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/1668-493-0x000000007EF70000-0x000000007EF71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads