redline | 73186a5d3be2fa9711f31dfbac376773f5e05116652ff2d413edea2390670ee5

General

Target

Top.exe
Size

212KB
MD5

96427c202bca1af1acd22256c92cc898
SHA1

728fd65a135a31b83138cc7b1e0754b17bb5ee81
SHA256

73186a5d3be2fa9711f31dfbac376773f5e05116652ff2d413edea2390670ee5
SHA512

9ddd65f6d72b00838189b7e954a91fd182e5d7808aa2927f762945d3991982649ef3d6bc745e22552fdfea02e5afae452e9f03ec86ee63f6fc49875c95d60d56

Score

10^/10

redline @top_seller_ak discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@Top_seller_ak

C2

51.91.193.177:18717

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2720-152-0x0000000000400000-0x000000000041F000-memory.dmp	family_redline
behavioral2/memory/2720-158-0x0000000005680000-0x0000000005B7E000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Nonconjugation.exeRuntimeBroker.exe

pid process

1560 Nonconjugation.exe
2604 RuntimeBroker.exe
Drops startup file 1 IoCs

Processes:

RuntimeBroker.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

regasm.exe

pid process

2720 regasm.exe
2720 regasm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Top.exe

description pid process target process

PID 3456 set thread context of 2720 3456 Top.exe regasm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regasm.exe

pid process

2720 regasm.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Top.exe

pid process

3456 Top.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

regasm.exeRuntimeBroker.exeNonconjugation.exe

description pid process

Token: SeDebugPrivilege 2720 regasm.exe
Token: 35 2604 RuntimeBroker.exe
Token: SeDebugPrivilege 1560 Nonconjugation.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Top.exe

pid process

3456 Top.exe

pid	process
1560	Nonconjugation.exe
2604	RuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.lnk	RuntimeBroker.exe

pid	process
2720	regasm.exe
2720	regasm.exe

description	pid	process	target process
PID 3456 set thread context of 2720	3456	Top.exe	regasm.exe

pid	process
2720	regasm.exe

pid	process
3456	Top.exe

description	pid	process
Token: SeDebugPrivilege	2720	regasm.exe
Token: 35	2604	RuntimeBroker.exe
Token: SeDebugPrivilege	1560	Nonconjugation.exe

pid	process
3456	Top.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Top.exeregasm.exe

description	pid	process	target process
PID 3456 wrote to memory of 2720	3456	Top.exe	regasm.exe
PID 3456 wrote to memory of 2720	3456	Top.exe	regasm.exe
PID 3456 wrote to memory of 2720	3456	Top.exe	regasm.exe
PID 3456 wrote to memory of 2720	3456	Top.exe	regasm.exe
PID 2720 wrote to memory of 1560	2720	regasm.exe	Nonconjugation.exe
PID 2720 wrote to memory of 1560	2720	regasm.exe	Nonconjugation.exe
PID 2720 wrote to memory of 2604	2720	regasm.exe	RuntimeBroker.exe
PID 2720 wrote to memory of 2604	2720	regasm.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\Top.exe
"C:\Users\Admin\AppData\Local\Temp\Top.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\Nonconjugation.exe
"C:\Users\Admin\AppData\Local\Temp\Nonconjugation.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nonconjugation.exe
MD5
d7881860a75e6bb3eab8ac39d030a5f8

SHA1
f0819587f1d91f39983dd2a8a425ec4c587f76e3

SHA256
3d55a01696666b6b5498ab33c770ba2ab8c5f066a8ac5816b0695e2f84d641c4

SHA512
cf6c481f420aaef40b405ff55ff87db942fd1614211ce0ca6ef30253280067759eb3fe9faf12702a60059c24bfa3da97ba148cd449ee70eba5f6902f75576029

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nonconjugation.exe
MD5
d7881860a75e6bb3eab8ac39d030a5f8

SHA1
f0819587f1d91f39983dd2a8a425ec4c587f76e3

SHA256
3d55a01696666b6b5498ab33c770ba2ab8c5f066a8ac5816b0695e2f84d641c4

SHA512
cf6c481f420aaef40b405ff55ff87db942fd1614211ce0ca6ef30253280067759eb3fe9faf12702a60059c24bfa3da97ba148cd449ee70eba5f6902f75576029

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
MD5
949ba7b89f4ae521a9e9b8eb37b3e634

SHA1
48ba8aace3429679cf01a3363b3fec2f1c023e6b

SHA256
4aea9f63c01162e271d6a2b1926ab00ae4f523465ebd2ed0feaea089ba95b86f

SHA512
bfb8e81f16bdb8c69dfbf518555da9001caf3dee14b874dd8c1c1ed32c0add3177eccf2b32fb4b9f0a3ce190075acff68b0ce1ce27d2965f7f60d22370276b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
MD5
949ba7b89f4ae521a9e9b8eb37b3e634

SHA1
48ba8aace3429679cf01a3363b3fec2f1c023e6b

SHA256
4aea9f63c01162e271d6a2b1926ab00ae4f523465ebd2ed0feaea089ba95b86f

SHA512
bfb8e81f16bdb8c69dfbf518555da9001caf3dee14b874dd8c1c1ed32c0add3177eccf2b32fb4b9f0a3ce190075acff68b0ce1ce27d2965f7f60d22370276b93

Download Submit
memory/1560-175-0x000002144A8C0000-0x000002144A8C2000-memory.dmp

Filesize
8KB

Download
memory/1560-178-0x000002144A8C5000-0x000002144A8C7000-memory.dmp

Filesize
8KB

Download
memory/1560-177-0x000002144A8C4000-0x000002144A8C5000-memory.dmp

Filesize
4KB

Download
memory/1560-176-0x000002144A8C2000-0x000002144A8C4000-memory.dmp

Filesize
8KB

Download
memory/1560-166-0x0000000000000000-mapping.dmp

Download
memory/1560-174-0x000002144A8D0000-0x000002144AC10000-memory.dmp

Filesize
3.2MB

Download
memory/1560-179-0x000002144D8D0000-0x000002144DC03000-memory.dmp

Filesize
3.2MB

Download
memory/1560-180-0x000002144DC10000-0x000002144DE7E000-memory.dmp

Filesize
2.4MB

Download
memory/1560-169-0x000002142FFE0000-0x000002142FFE1000-memory.dmp

Filesize
4KB

Download
memory/1560-181-0x000002144E350000-0x000002144E351000-memory.dmp

Filesize
4KB

Download
memory/1560-182-0x000002144DE80000-0x000002144DE81000-memory.dmp

Filesize
4KB

Download
memory/2604-171-0x0000000000000000-mapping.dmp

Download
memory/2720-164-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/2720-153-0x0000000000D50000-0x0000000000DFE000-memory.dmp

Filesize
696KB

Download
memory/2720-165-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/2720-163-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/2720-162-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/2720-161-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/2720-160-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/2720-159-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/2720-158-0x0000000005680000-0x0000000005B7E000-memory.dmp

Filesize
5.0MB

Download
memory/2720-157-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/2720-156-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/2720-155-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2720-154-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2720-146-0x00000000004186AA-mapping.dmp

Download
memory/2720-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-150-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2720-151-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/3456-144-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-130-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-132-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-142-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/3456-141-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-140-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-139-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-138-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-137-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-136-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-135-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-134-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-115-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/3456-133-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-131-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-147-0x00000000021A0000-0x00000000021A2000-memory.dmp

Filesize
8KB

Download
memory/3456-129-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-128-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-127-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-126-0x0000000000663000-0x0000000000664000-memory.dmp

Filesize
4KB

Download
memory/3456-125-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-124-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/3456-123-0x0000000000665000-0x0000000000666000-memory.dmp

Filesize
4KB

Download
memory/3456-122-0x0000000000663000-0x0000000000664000-memory.dmp

Filesize
4KB

Download
memory/3456-121-0x0000000000663000-0x0000000000664000-memory.dmp

Filesize
4KB

Download
memory/3456-120-0x0000000000665000-0x0000000000666000-memory.dmp

Filesize
4KB

Download
memory/3456-119-0x0000000000665000-0x0000000000666000-memory.dmp

Filesize
4KB

Download
memory/3456-118-0x0000000000665000-0x0000000000666000-memory.dmp

Filesize
4KB

Download
memory/3456-117-0x0000000000665000-0x0000000000666000-memory.dmp

Filesize
4KB

Download
memory/3456-116-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing