redline | 88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

Analysis

max time kernel
146s
max time network
153s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1921292380.exe
Size

719KB
MD5

0068f1a9d11db46097fae660005c1228
SHA1

1a7fc24cccaa5bfeae87446a22605a0a475bb409
SHA256

88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
SHA512

75525095421bf3866e4f465ed2ed89759230248ec08064865b6cf0435c254586960ee8c957a06a16a5c4693bd386338ec7554e820d94045674f172c141938a36

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2868-501-0x000000000041B23E-mapping.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Madder.exeMadder.exeMadder.exeMadder.exeMadder.exe

pid process

2204 Madder.exe
396 Madder.exe
2508 Madder.exe
2128 Madder.exe
2868 Madder.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Madder.exe

description pid process target process

PID 2204 set thread context of 2868 2204 Madder.exe Madder.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2936 powershell.exe
2936 powershell.exe
2936 powershell.exe
400 powershell.exe
400 powershell.exe
400 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2936 powershell.exe
Token: SeDebugPrivilege 400 powershell.exe

pid	process
2204	Madder.exe
396	Madder.exe
2508	Madder.exe
2128	Madder.exe
2868	Madder.exe

description	pid	process	target process
PID 2204 set thread context of 2868	2204	Madder.exe	Madder.exe

pid	process
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1921292380.execmd.execmd.exeMadder.exe

description	pid	process	target process
PID 2776 wrote to memory of 500	2776	1921292380.exe	cmd.exe
PID 2776 wrote to memory of 500	2776	1921292380.exe	cmd.exe
PID 2776 wrote to memory of 500	2776	1921292380.exe	cmd.exe
PID 2776 wrote to memory of 860	2776	1921292380.exe	cmd.exe
PID 2776 wrote to memory of 860	2776	1921292380.exe	cmd.exe
PID 2776 wrote to memory of 860	2776	1921292380.exe	cmd.exe
PID 860 wrote to memory of 2204	860	cmd.exe	Madder.exe
PID 860 wrote to memory of 2204	860	cmd.exe	Madder.exe
PID 860 wrote to memory of 2204	860	cmd.exe	Madder.exe
PID 500 wrote to memory of 2936	500	cmd.exe	powershell.exe
PID 500 wrote to memory of 2936	500	cmd.exe	powershell.exe
PID 500 wrote to memory of 2936	500	cmd.exe	powershell.exe
PID 2204 wrote to memory of 396	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 396	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 396	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2508	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2508	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2508	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2128	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2128	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2128	2204	Madder.exe	Madder.exe
PID 500 wrote to memory of 400	500	cmd.exe	powershell.exe
PID 500 wrote to memory of 400	500	cmd.exe	powershell.exe
PID 500 wrote to memory of 400	500	cmd.exe	powershell.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe
PID 2204 wrote to memory of 2868	2204	Madder.exe	Madder.exe

C:\Users\Admin\AppData\Local\Temp\1921292380.exe
"C:\Users\Admin\AppData\Local\Temp\1921292380.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\Madder.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:396

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:2508

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\Madder.exe
C:\Users\Admin\AppData\Local\Temp\Madder.exe
4⤵
- Executes dropped EXE
PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Madder.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a0099f762059e45d2c7bb166c6904aa

SHA1
159100c4c15cf1f9884b8517cb0e7418b7e88ad3

SHA256
e73da51feb4419e4b3783186e9ccf9d51d19993524591286874d31b01bb54f31

SHA512
57458dc37d24db43f51d6de3d28fa7b51c4b1bb8081e8dfbb8fa6ffb64d3c700c58edf8ea545ca57e09cc49b8e50301f94c742f6dd84b52b394518071c7fecc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madder.exe
MD5
b8c0aa13740f17c223af874f41f446d1

SHA1
d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

SHA256
ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

SHA512
f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

Download Submit
memory/400-378-0x0000000000000000-mapping.dmp

Download
memory/400-466-0x0000000006C63000-0x0000000006C64000-memory.dmp

Filesize
4KB

Download
memory/400-411-0x000000007F040000-0x000000007F041000-memory.dmp

Filesize
4KB

Download
memory/400-392-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/400-393-0x0000000006C62000-0x0000000006C63000-memory.dmp

Filesize
4KB

Download
memory/500-115-0x0000000000000000-mapping.dmp

Download
memory/860-116-0x0000000000000000-mapping.dmp

Download
memory/2204-128-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/2204-131-0x0000000002FC0000-0x0000000003036000-memory.dmp

Filesize
472KB

Download
memory/2204-134-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2204-130-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2204-123-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2204-117-0x0000000000000000-mapping.dmp

Download
memory/2868-501-0x000000000041B23E-mapping.dmp

Download
memory/2868-600-0x0000000004D20000-0x0000000005326000-memory.dmp

Filesize
6.0MB

Download
memory/2936-127-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/2936-148-0x0000000008AB0000-0x0000000008AE3000-memory.dmp

Filesize
204KB

Download
memory/2936-155-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/2936-160-0x0000000008DF0000-0x0000000008DF1000-memory.dmp

Filesize
4KB

Download
memory/2936-161-0x000000007EC50000-0x000000007EC51000-memory.dmp

Filesize
4KB

Download
memory/2936-162-0x0000000009010000-0x0000000009011000-memory.dmp

Filesize
4KB

Download
memory/2936-231-0x0000000001033000-0x0000000001034000-memory.dmp

Filesize
4KB

Download
memory/2936-140-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2936-138-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/2936-137-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/2936-136-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/2936-135-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2936-133-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2936-132-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/2936-129-0x0000000001032000-0x0000000001033000-memory.dmp

Filesize
4KB

Download
memory/2936-126-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2936-125-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2936-121-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2936-122-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2936-119-0x0000000000000000-mapping.dmp

Download