redline | 1426f8433819b5f8a6b88a386e44f52abc4082fe45cea4666d840ac633c9f123

General

Target

GI_hackV2.2.exe
Size

382KB
MD5

033b87f17b845a88b342f558a959ae32
SHA1

4fbad0d47191a0e219accc9daeabc38fad3435f3
SHA256

1426f8433819b5f8a6b88a386e44f52abc4082fe45cea4666d840ac633c9f123
SHA512

6b7378f7f31de0ffef6fc98c2a7d9fcf15aed34c6de5aa5b8119a8fb17dad3b92ed9973c794c29c69d5dcd76b024564ed8daa530a1ad281fa3bb29a83b3907ac

Score

10^/10

redline mexfrend2110 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

MexFrend2110

C2

109.248.11.240:17314

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/580-60-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/580-61-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/580-62-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/580-63-0x000000000041854E-mapping.dmp	family_redline
behavioral1/memory/580-64-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

GI_hackV2.2.exe

description pid process target process

PID 372 set thread context of 580 372 GI_hackV2.2.exe GI_hackV2.2.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GI_hackV2.2.exe

pid process

580 GI_hackV2.2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GI_hackV2.2.exe

description pid process

Token: SeDebugPrivilege 580 GI_hackV2.2.exe

description	pid	process	target process
PID 372 set thread context of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe

pid	process
580	GI_hackV2.2.exe

description	pid	process
Token: SeDebugPrivilege	580	GI_hackV2.2.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

GI_hackV2.2.exe

description	pid	process	target process
PID 372 wrote to memory of 1528	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1528	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1528	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1528	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1524	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1524	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1524	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 1524	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 372 wrote to memory of 580	372	GI_hackV2.2.exe	GI_hackV2.2.exe

C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
"C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
2⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
2⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-55-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/372-57-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/580-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/580-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/580-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/580-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/580-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/580-63-0x000000000041854E-mapping.dmp

Download
memory/580-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/580-66-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing