redline | 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

Analysis

max time kernel
149s
max time network
189s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-10-2021 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1921292380.exe
Size

719KB
MD5

0068f1a9d11db46097fae660005c1228
SHA1

1a7fc24cccaa5bfeae87446a22605a0a475bb409
SHA256

88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
SHA512

75525095421bf3866e4f465ed2ed89759230248ec08064865b6cf0435c254586960ee8c957a06a16a5c4693bd386338ec7554e820d94045674f172c141938a36

Score

10^/10

redline 1.0.2.0 infostealer

Malware Config

Extracted

Family

redline

Botnet

1.0.2.0

185.183.32.227:51498

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1368-80-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1368-81-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1368-83-0x000000000041B23E-mapping.dmp	family_redline
behavioral1/memory/1368-82-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral1/memory/1368-85-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Madder.exeMadder.exeMadder.exe

pid process

620 Madder.exe
1296 Madder.exe
1368 Madder.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeMadder.exe

pid process

1328 cmd.exe
1328 cmd.exe
620 Madder.exe
620 Madder.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Madder.exe

description pid process target process

PID 620 set thread context of 1368 620 Madder.exe Madder.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1152 powershell.exe
1280 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1152 powershell.exe
Token: SeDebugPrivilege 1280 powershell.exe

pid	process
620	Madder.exe
1296	Madder.exe
1368	Madder.exe

pid	process
1328	cmd.exe
1328	cmd.exe
620	Madder.exe
620	Madder.exe

description	pid	process	target process
PID 620 set thread context of 1368	620	Madder.exe	Madder.exe

pid	process
1152	powershell.exe
1280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

1921292380.execmd.execmd.exeMadder.exe

description	pid	process	target process
PID 1200 wrote to memory of 1336	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1336	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1336	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1336	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1328	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1328	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1328	1200	1921292380.exe	cmd.exe
PID 1200 wrote to memory of 1328	1200	1921292380.exe	cmd.exe
PID 1328 wrote to memory of 620	1328	cmd.exe	Madder.exe
PID 1328 wrote to memory of 620	1328	cmd.exe	Madder.exe
PID 1328 wrote to memory of 620	1328	cmd.exe	Madder.exe
PID 1328 wrote to memory of 620	1328	cmd.exe	Madder.exe
PID 1336 wrote to memory of 1152	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1152	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1152	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1152	1336	cmd.exe	powershell.exe
PID 620 wrote to memory of 1296	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1296	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1296	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1296	620	Madder.exe	Madder.exe
PID 1336 wrote to memory of 1280	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1280	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1280	1336	cmd.exe	powershell.exe
PID 1336 wrote to memory of 1280	1336	cmd.exe	powershell.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe
PID 620 wrote to memory of 1368	620	Madder.exe	Madder.exe

C:\Users\Admin\AppData\Local\Temp\1921292380.exe
"C:\Users\Admin\AppData\Local\Temp\1921292380.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Madder.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:1296

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
b3587a415e2392404cec178798bcee48

SHA1
cf989d318515dffc30ad89d9d07607d0d9510bd2

SHA256
318b9cb8279eb597504053d005a90381abde40481bb22203a55811a8d050a97e

SHA512
f178db448667e2370ab44e8cc17bfe2abd11573f646b5c9546cde905e548699324e8615141555e7715ca49ce59e28274fa87301733fa0868f32d47086dca3023

Download Submit
\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
memory/620-66-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/620-59-0x0000000000000000-mapping.dmp

Download
memory/620-63-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1152-61-0x0000000000000000-mapping.dmp

Download
memory/1152-68-0x0000000002461000-0x0000000002462000-memory.dmp

Filesize
4KB

Download
memory/1152-69-0x0000000002462000-0x0000000002464000-memory.dmp

Filesize
8KB

Download
memory/1152-67-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1152-62-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1280-70-0x0000000000000000-mapping.dmp

Download
memory/1280-74-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/1280-75-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/1280-73-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/1328-55-0x0000000000000000-mapping.dmp

Download
memory/1336-54-0x0000000000000000-mapping.dmp

Download
memory/1368-83-0x000000000041B23E-mapping.dmp

Download
memory/1368-81-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-78-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-85-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1368-87-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download