redline | aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc

General

Target

036f4601b88c52668d279cf3fcce2a97.exe
Size

68KB
MD5

036f4601b88c52668d279cf3fcce2a97
SHA1

9d67601c7e37e1d7e7c36820ad360169c16628df
SHA256

aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc
SHA512

08b40274ad8d24a7f7775da9d7755d13aa0a110250008ceb02bae54fa8074d40d6ccfbfe28e2cf2c25d5904d931135a6bfe467ca6b5439422b1d2225c5756d70

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2884-411-0x0000000000418D2E-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

description pid process target process

PID 3104 set thread context of 2884 3104 036f4601b88c52668d279cf3fcce2a97.exe 036f4601b88c52668d279cf3fcce2a97.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3104 set thread context of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exepowershell.exepowershell.exepowershell.exe036f4601b88c52668d279cf3fcce2a97.exe

pid	process
3104	036f4601b88c52668d279cf3fcce2a97.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
3104	036f4601b88c52668d279cf3fcce2a97.exe
2884	036f4601b88c52668d279cf3fcce2a97.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3104	036f4601b88c52668d279cf3fcce2a97.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeIncreaseQuotaPrivilege	3364	powershell.exe
Token: SeSecurityPrivilege	3364	powershell.exe
Token: SeTakeOwnershipPrivilege	3364	powershell.exe
Token: SeLoadDriverPrivilege	3364	powershell.exe
Token: SeSystemProfilePrivilege	3364	powershell.exe
Token: SeSystemtimePrivilege	3364	powershell.exe
Token: SeProfSingleProcessPrivilege	3364	powershell.exe
Token: SeIncBasePriorityPrivilege	3364	powershell.exe
Token: SeCreatePagefilePrivilege	3364	powershell.exe
Token: SeBackupPrivilege	3364	powershell.exe
Token: SeRestorePrivilege	3364	powershell.exe
Token: SeShutdownPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeSystemEnvironmentPrivilege	3364	powershell.exe
Token: SeRemoteShutdownPrivilege	3364	powershell.exe
Token: SeUndockPrivilege	3364	powershell.exe
Token: SeManageVolumePrivilege	3364	powershell.exe
Token: 33	3364	powershell.exe
Token: 34	3364	powershell.exe
Token: 35	3364	powershell.exe
Token: 36	3364	powershell.exe
Token: SeIncreaseQuotaPrivilege	3364	powershell.exe
Token: SeSecurityPrivilege	3364	powershell.exe
Token: SeTakeOwnershipPrivilege	3364	powershell.exe
Token: SeLoadDriverPrivilege	3364	powershell.exe
Token: SeSystemProfilePrivilege	3364	powershell.exe
Token: SeSystemtimePrivilege	3364	powershell.exe
Token: SeProfSingleProcessPrivilege	3364	powershell.exe
Token: SeIncBasePriorityPrivilege	3364	powershell.exe
Token: SeCreatePagefilePrivilege	3364	powershell.exe
Token: SeBackupPrivilege	3364	powershell.exe
Token: SeRestorePrivilege	3364	powershell.exe
Token: SeShutdownPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeSystemEnvironmentPrivilege	3364	powershell.exe
Token: SeRemoteShutdownPrivilege	3364	powershell.exe
Token: SeUndockPrivilege	3364	powershell.exe
Token: SeManageVolumePrivilege	3364	powershell.exe
Token: 33	3364	powershell.exe
Token: 34	3364	powershell.exe
Token: 35	3364	powershell.exe
Token: 36	3364	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeIncreaseQuotaPrivilege	1448	powershell.exe
Token: SeSecurityPrivilege	1448	powershell.exe
Token: SeTakeOwnershipPrivilege	1448	powershell.exe
Token: SeLoadDriverPrivilege	1448	powershell.exe
Token: SeSystemProfilePrivilege	1448	powershell.exe
Token: SeSystemtimePrivilege	1448	powershell.exe
Token: SeProfSingleProcessPrivilege	1448	powershell.exe
Token: SeIncBasePriorityPrivilege	1448	powershell.exe
Token: SeCreatePagefilePrivilege	1448	powershell.exe
Token: SeBackupPrivilege	1448	powershell.exe
Token: SeRestorePrivilege	1448	powershell.exe
Token: SeShutdownPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeSystemEnvironmentPrivilege	1448	powershell.exe
Token: SeRemoteShutdownPrivilege	1448	powershell.exe
Token: SeUndockPrivilege	1448	powershell.exe
Token: SeManageVolumePrivilege	1448	powershell.exe
Token: 33	1448	powershell.exe
Token: 34	1448	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
"C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
2⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
2⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
2⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\036f4601b88c52668d279cf3fcce2a97.exe.log
MD5
daa436d058b25bdde9e2d6fe53c6ccf6

SHA1
3fc5d1eab28db05865915d8f6d9ecf85d9cc1d9e

SHA256
afb0ed8659b214fe4251a87a1c0a362c123363497fbd50737c1ae36a9376c4cd

SHA512
84f13582070ae4a3a9bb5e4b29620e659c258ab282e43e9bfa50528c08aae875d8c33cf3647fbb1253102af39b89f3b97f316e62f544355cc9c379e04fba960a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6ddc34dac7ba7778666f53e78436472c

SHA1
4deccf8a4082de78c9ab1373879c96d96684b610

SHA256
513f25241a697c50ba3ae28993edd29910a781fa90d4b205cb4990a39495e23d

SHA512
2bd818945eca1307a65fdf658cb5706524aed11e55e02d3cb2852a165e18a6f871a7191c6264f50a3ce92e0d94661c21ee5e59b949f2adcb1e086376fcc514b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7dd8652e2f3209102b7886f38afb5011

SHA1
6a56cd4d9e5e3645a5eb9b0649356011a77c99ac

SHA256
312b58f8433a4c432e0c54f3a922a2bc72dd3b2649e7bbc238df5372cd3b91ef

SHA512
c066752d6c5b2353ba93e86c6281a31f96d68679f99c0a4f08ad04f113e5c609a069268661f3a65acf87e0a61a2894628188de18050adc97e2821fa0f93bbabb

Download Submit
memory/1448-213-0x0000000000000000-mapping.dmp

Download
memory/1448-244-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/1448-228-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/1448-227-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/2884-420-0x00000000050A0000-0x00000000056A6000-memory.dmp

Filesize
6.0MB

Download
memory/2884-411-0x0000000000418D2E-mapping.dmp

Download
memory/3104-122-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3104-115-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3364-125-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3364-126-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/3364-130-0x00000000089D0000-0x00000000089D1000-memory.dmp

Filesize
4KB

Download
memory/3364-131-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/3364-132-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3364-136-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/3364-137-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/3364-138-0x00000000096F0000-0x00000000096F1000-memory.dmp

Filesize
4KB

Download
memory/3364-139-0x0000000009C20000-0x0000000009C21000-memory.dmp

Filesize
4KB

Download
memory/3364-146-0x000000000A7A0000-0x000000000A7A1000-memory.dmp

Filesize
4KB

Download
memory/3364-147-0x0000000007333000-0x0000000007334000-memory.dmp

Filesize
4KB

Download
memory/3364-128-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/3364-127-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/3364-129-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/3364-124-0x0000000007332000-0x0000000007333000-memory.dmp

Filesize
4KB

Download
memory/3364-123-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/3364-121-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/3364-117-0x0000000000000000-mapping.dmp

Download
memory/3364-120-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3364-118-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3364-119-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3684-356-0x00000000068D3000-0x00000000068D4000-memory.dmp

Filesize
4KB

Download
memory/3684-323-0x00000000068D2000-0x00000000068D3000-memory.dmp

Filesize
4KB

Download
memory/3684-322-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/3684-310-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3104 wrote to memory of 3364	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 3364	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 3364	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 1448	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 1448	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 1448	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 3684	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 3684	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 3684	3104	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 3104 wrote to memory of 2760	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2760	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2760	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 4028	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 4028	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 4028	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2288	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2288	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2288	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 3104 wrote to memory of 2884	3104	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads