redline | d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe

General

Target

Sun03e4aeb7e43a1c.exe
Size

309KB
MD5

a8261f626a6e743ee0ce9abe3da429a1
SHA1

c12339c5bf0f1867c3ffbfb6bfe24feb12748078
SHA256

d0f0261c323ff82079ce60fb591082b69f97c3106315e6017d03b800b65894fe
SHA512

64542e73edfa809f916784ce13b90284877380becd52d9401b1c17fe3cc9991498597e5f869701df905119780e46654c83c09993bf3e277cb110637225cb112a

Score

10^/10

redline somebody discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

SomeBody

C2

185.215.113.29:36224

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1000-129-0x0000000002180000-0x000000000219C000-memory.dmp	family_redline
behavioral2/memory/1000-133-0x0000000002550000-0x000000000256B000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

8746330376.exe4865503551.exe

pid process

1172 8746330376.exe
1000 4865503551.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 freegeoip.app
28 freegeoip.app
29 freegeoip.app
31 freegeoip.app

pid	process
1172	8746330376.exe
1000	4865503551.exe

flow	ioc
26	freegeoip.app
28	freegeoip.app
29	freegeoip.app
31	freegeoip.app

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8746330376.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\8746330376.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1752 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4865503551.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1000 4865503551.exe
Token: SeDebugPrivilege 1752 taskkill.exe

pid	process
1752	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1000	4865503551.exe
Token: SeDebugPrivilege	1752	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Sun03e4aeb7e43a1c.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2596 wrote to memory of 1180	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2596 wrote to memory of 1180	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2596 wrote to memory of 1180	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1180 wrote to memory of 1172	1180	cmd.exe	8746330376.exe
PID 1180 wrote to memory of 1172	1180	cmd.exe	8746330376.exe
PID 1180 wrote to memory of 1172	1180	cmd.exe	8746330376.exe
PID 2596 wrote to memory of 1472	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2596 wrote to memory of 1472	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2596 wrote to memory of 1472	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 1472 wrote to memory of 1000	1472	cmd.exe	4865503551.exe
PID 1472 wrote to memory of 1000	1472	cmd.exe	4865503551.exe
PID 1472 wrote to memory of 1000	1472	cmd.exe	4865503551.exe
PID 2596 wrote to memory of 2724	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2596 wrote to memory of 2724	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2596 wrote to memory of 2724	2596	Sun03e4aeb7e43a1c.exe	cmd.exe
PID 2724 wrote to memory of 1752	2724	cmd.exe	taskkill.exe
PID 2724 wrote to memory of 1752	2724	cmd.exe	taskkill.exe
PID 2724 wrote to memory of 1752	2724	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe
"C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8746330376.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\8746330376.exe
"C:\Users\Admin\AppData\Local\Temp\8746330376.exe"
3⤵
- Executes dropped EXE
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4865503551.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\4865503551.exe
"C:\Users\Admin\AppData\Local\Temp\4865503551.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun03e4aeb7e43a1c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Sun03e4aeb7e43a1c.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sun03e4aeb7e43a1c.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4865503551.exe
MD5
c8a54178bca548e62bc755b59eaac4d2

SHA1
fd6820252e4717ee0607da991904b7a2b96d5a8c

SHA256
1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

SHA512
acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4865503551.exe
MD5
c8a54178bca548e62bc755b59eaac4d2

SHA1
fd6820252e4717ee0607da991904b7a2b96d5a8c

SHA256
1a0bbc5b4780978864b67d31e87a434bc7c60d72c6e014f1018318743ef836b3

SHA512
acb16d4854a7ff72d6186e667ab8642eb0120f9cbb66f366efb3b96ae5b8228686b69863cd405bfc65a779a29d2fdce439dbf0e0c825df201aea8811a5d2688b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8746330376.exe
MD5
0316a4971affb23ccf2cfa83d0de9392

SHA1
74f2661e497b2079981447666a4fc71ede4e1774

SHA256
455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

SHA512
673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\8746330376.exe
MD5
0316a4971affb23ccf2cfa83d0de9392

SHA1
74f2661e497b2079981447666a4fc71ede4e1774

SHA256
455a5f61669029076d9cb7f128e53740721d3606ce8297bd050235186062d288

SHA512
673638a4dd197d68633364d23b98329184a090262e8605b8c51fb6ee95a48374470564b1519720c554b1880ed11fe81840363de4aaff6a5c68a62a072837ed20

Download Submit
memory/1000-130-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1000-134-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1000-146-0x00000000065E0000-0x00000000065E1000-memory.dmp

Filesize
4KB

Download
memory/1000-145-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/1000-123-0x0000000000000000-mapping.dmp

Download
memory/1000-144-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1000-143-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1000-127-0x0000000002070000-0x00000000020A0000-memory.dmp

Filesize
192KB

Download
memory/1000-126-0x0000000002040000-0x0000000002062000-memory.dmp

Filesize
136KB

Download
memory/1000-128-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1000-129-0x0000000002180000-0x000000000219C000-memory.dmp

Filesize
112KB

Download
memory/1000-131-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/1000-142-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/1000-132-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1000-133-0x0000000002550000-0x000000000256B000-memory.dmp

Filesize
108KB

Download
memory/1000-141-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1000-135-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1000-136-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1000-137-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1000-138-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1000-139-0x0000000004B83000-0x0000000004B84000-memory.dmp

Filesize
4KB

Download
memory/1000-140-0x0000000004B84000-0x0000000004B86000-memory.dmp

Filesize
8KB

Download
memory/1172-119-0x0000000000000000-mapping.dmp

Download
memory/1180-118-0x0000000000000000-mapping.dmp

Download
memory/1472-121-0x0000000000000000-mapping.dmp

Download
memory/1752-148-0x0000000000000000-mapping.dmp

Download
memory/2596-116-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/2596-115-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/2596-117-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2724-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads