redline | 1426f8433819b5f8a6b88a386e44f52abc4082fe45cea4666d840ac633c9f123

General

Target

GI_hackV2.2.exe
Size

382KB
MD5

033b87f17b845a88b342f558a959ae32
SHA1

4fbad0d47191a0e219accc9daeabc38fad3435f3
SHA256

1426f8433819b5f8a6b88a386e44f52abc4082fe45cea4666d840ac633c9f123
SHA512

6b7378f7f31de0ffef6fc98c2a7d9fcf15aed34c6de5aa5b8119a8fb17dad3b92ed9973c794c29c69d5dcd76b024564ed8daa530a1ad281fa3bb29a83b3907ac

Score

10^/10

redline mexfrend2110 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

MexFrend2110

C2

109.248.11.240:17314

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1164-121-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral2/memory/1164-122-0x000000000041854E-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

GI_hackV2.2.exe

description pid process target process

PID 1864 set thread context of 1164 1864 GI_hackV2.2.exe GI_hackV2.2.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

GI_hackV2.2.exe

pid process

1164 GI_hackV2.2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

GI_hackV2.2.exe

description pid process

Token: SeDebugPrivilege 1164 GI_hackV2.2.exe

description	pid	process	target process
PID 1864 set thread context of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe

pid	process
1164	GI_hackV2.2.exe

description	pid	process
Token: SeDebugPrivilege	1164	GI_hackV2.2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

GI_hackV2.2.exe

description	pid	process	target process
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe
PID 1864 wrote to memory of 1164	1864	GI_hackV2.2.exe	GI_hackV2.2.exe

C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
"C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
C:\Users\Admin\AppData\Local\Temp\GI_hackV2.2.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GI_hackV2.2.exe.log

MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
memory/1164-130-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1164-121-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1164-127-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1164-138-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/1164-128-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1164-122-0x000000000041854E-mapping.dmp

Download
memory/1164-137-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/1164-129-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1164-136-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/1164-133-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1164-126-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/1164-131-0x00000000057E0000-0x0000000005DE6000-memory.dmp

Filesize
6.0MB

Download
memory/1864-115-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1864-118-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1864-119-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1864-117-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1864-120-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing