redline | aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc

General

Target

036f4601b88c52668d279cf3fcce2a97.exe
Size

68KB
MD5

036f4601b88c52668d279cf3fcce2a97
SHA1

9d67601c7e37e1d7e7c36820ad360169c16628df
SHA256

aa6843ca9b0bbaf0e41672bf6d3fe076502d3e2ff7683b198428e82e216d42dc
SHA512

08b40274ad8d24a7f7775da9d7755d13aa0a110250008ceb02bae54fa8074d40d6ccfbfe28e2cf2c25d5904d931135a6bfe467ca6b5439422b1d2225c5756d70

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-411-0x0000000000418D2E-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

description pid process target process

PID 2044 set thread context of 2016 2044 036f4601b88c52668d279cf3fcce2a97.exe 036f4601b88c52668d279cf3fcce2a97.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2044 set thread context of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exepowershell.exepowershell.exepowershell.exe036f4601b88c52668d279cf3fcce2a97.exe

pid	process
2044	036f4601b88c52668d279cf3fcce2a97.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1028	powershell.exe
1028	powershell.exe
1028	powershell.exe
2044	036f4601b88c52668d279cf3fcce2a97.exe
2044	036f4601b88c52668d279cf3fcce2a97.exe
2016	036f4601b88c52668d279cf3fcce2a97.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2044	036f4601b88c52668d279cf3fcce2a97.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeIncreaseQuotaPrivilege	3320	powershell.exe
Token: SeSecurityPrivilege	3320	powershell.exe
Token: SeTakeOwnershipPrivilege	3320	powershell.exe
Token: SeLoadDriverPrivilege	3320	powershell.exe
Token: SeSystemProfilePrivilege	3320	powershell.exe
Token: SeSystemtimePrivilege	3320	powershell.exe
Token: SeProfSingleProcessPrivilege	3320	powershell.exe
Token: SeIncBasePriorityPrivilege	3320	powershell.exe
Token: SeCreatePagefilePrivilege	3320	powershell.exe
Token: SeBackupPrivilege	3320	powershell.exe
Token: SeRestorePrivilege	3320	powershell.exe
Token: SeShutdownPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeSystemEnvironmentPrivilege	3320	powershell.exe
Token: SeRemoteShutdownPrivilege	3320	powershell.exe
Token: SeUndockPrivilege	3320	powershell.exe
Token: SeManageVolumePrivilege	3320	powershell.exe
Token: 33	3320	powershell.exe
Token: 34	3320	powershell.exe
Token: 35	3320	powershell.exe
Token: 36	3320	powershell.exe
Token: SeIncreaseQuotaPrivilege	3320	powershell.exe
Token: SeSecurityPrivilege	3320	powershell.exe
Token: SeTakeOwnershipPrivilege	3320	powershell.exe
Token: SeLoadDriverPrivilege	3320	powershell.exe
Token: SeSystemProfilePrivilege	3320	powershell.exe
Token: SeSystemtimePrivilege	3320	powershell.exe
Token: SeProfSingleProcessPrivilege	3320	powershell.exe
Token: SeIncBasePriorityPrivilege	3320	powershell.exe
Token: SeCreatePagefilePrivilege	3320	powershell.exe
Token: SeBackupPrivilege	3320	powershell.exe
Token: SeRestorePrivilege	3320	powershell.exe
Token: SeShutdownPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeSystemEnvironmentPrivilege	3320	powershell.exe
Token: SeRemoteShutdownPrivilege	3320	powershell.exe
Token: SeUndockPrivilege	3320	powershell.exe
Token: SeManageVolumePrivilege	3320	powershell.exe
Token: 33	3320	powershell.exe
Token: 34	3320	powershell.exe
Token: 35	3320	powershell.exe
Token: 36	3320	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeIncreaseQuotaPrivilege	1708	powershell.exe
Token: SeSecurityPrivilege	1708	powershell.exe
Token: SeTakeOwnershipPrivilege	1708	powershell.exe
Token: SeLoadDriverPrivilege	1708	powershell.exe
Token: SeSystemProfilePrivilege	1708	powershell.exe
Token: SeSystemtimePrivilege	1708	powershell.exe
Token: SeProfSingleProcessPrivilege	1708	powershell.exe
Token: SeIncBasePriorityPrivilege	1708	powershell.exe
Token: SeCreatePagefilePrivilege	1708	powershell.exe
Token: SeBackupPrivilege	1708	powershell.exe
Token: SeRestorePrivilege	1708	powershell.exe
Token: SeShutdownPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeSystemEnvironmentPrivilege	1708	powershell.exe
Token: SeRemoteShutdownPrivilege	1708	powershell.exe
Token: SeUndockPrivilege	1708	powershell.exe
Token: SeManageVolumePrivilege	1708	powershell.exe
Token: 33	1708	powershell.exe
Token: 34	1708	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

036f4601b88c52668d279cf3fcce2a97.exe

description	pid	process	target process
PID 2044 wrote to memory of 3320	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 3320	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 3320	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 1708	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 1708	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 1708	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 1028	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 1028	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 1028	2044	036f4601b88c52668d279cf3fcce2a97.exe	powershell.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe
PID 2044 wrote to memory of 2016	2044	036f4601b88c52668d279cf3fcce2a97.exe	036f4601b88c52668d279cf3fcce2a97.exe

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
"C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
C:\Users\Admin\AppData\Local\Temp\036f4601b88c52668d279cf3fcce2a97.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\036f4601b88c52668d279cf3fcce2a97.exe.log
MD5
daa436d058b25bdde9e2d6fe53c6ccf6

SHA1
3fc5d1eab28db05865915d8f6d9ecf85d9cc1d9e

SHA256
afb0ed8659b214fe4251a87a1c0a362c123363497fbd50737c1ae36a9376c4cd

SHA512
84f13582070ae4a3a9bb5e4b29620e659c258ab282e43e9bfa50528c08aae875d8c33cf3647fbb1253102af39b89f3b97f316e62f544355cc9c379e04fba960a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1b1972046c5c9bf7cc8c7052ff3f388b

SHA1
4e10eff1ac5e77ac1d809351c56df602f6cf9a5d

SHA256
80603462e3323af131213af59fcd0fbf9c7eaa7f3de4fc5e63ecc6311c5521f4

SHA512
4f09bc6c6799f0eb085cc373bd9c70e9f7257e346fcbe2a90cd676d29ba84a43a1cce4993b9110dd24c39ec0b045a08b4a5139a66201946abc2026677df7b43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3e939dad3662904502f1cf8d95c1f6bd

SHA1
62106d1a82e44cf8427efeb0f19f9581bd586f30

SHA256
a18cb449425b214ff0703f6261a0354dc4af9e2721d2b147f8b50e562adac105

SHA512
96fd3617eb93f88bb5cf719acfca248505d24c4cf696e3723eb257e9d92e8458512628c5aef3831dbb18ded0a1f54986acb4fdccf8a5d8da4b1fad3b9d67517c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
592b4837e96099d01a7dadb6c5df2a57

SHA1
c1aa412fe7923b7d7941e1fdd59413ada6b855ee

SHA256
59725ebc689e426fcd5be282b253be17edfc3b538f1239918bf759df000281a7

SHA512
e2d9ea8ea620e71eda3f61704924c0de5e32264f8a6833c102902ab83d334e4ab31a8dd087796486111363cb308e638f18654de64bb833c94fc5720203a4a3ac

Download Submit
memory/1028-310-0x0000000000000000-mapping.dmp

Download
memory/1028-344-0x0000000004F43000-0x0000000004F44000-memory.dmp

Filesize
4KB

Download
memory/1028-324-0x0000000004F42000-0x0000000004F43000-memory.dmp

Filesize
4KB

Download
memory/1028-323-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/1708-227-0x0000000006EA2000-0x0000000006EA3000-memory.dmp

Filesize
4KB

Download
memory/1708-260-0x0000000006EA3000-0x0000000006EA4000-memory.dmp

Filesize
4KB

Download
memory/1708-213-0x0000000000000000-mapping.dmp

Download
memory/1708-226-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2016-411-0x0000000000418D2E-mapping.dmp

Download
memory/2016-419-0x0000000005350000-0x0000000005956000-memory.dmp

Filesize
6.0MB

Download
memory/2044-115-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2044-117-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/3320-125-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/3320-128-0x00000000072D2000-0x00000000072D3000-memory.dmp

Filesize
4KB

Download
memory/3320-137-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/3320-138-0x00000000096B0000-0x00000000096B1000-memory.dmp

Filesize
4KB

Download
memory/3320-139-0x0000000009F20000-0x0000000009F21000-memory.dmp

Filesize
4KB

Download
memory/3320-142-0x00000000072D3000-0x00000000072D4000-memory.dmp

Filesize
4KB

Download
memory/3320-147-0x000000000AAA0000-0x000000000AAA1000-memory.dmp

Filesize
4KB

Download
memory/3320-132-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3320-131-0x0000000008950000-0x0000000008951000-memory.dmp

Filesize
4KB

Download
memory/3320-130-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/3320-129-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/3320-136-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/3320-127-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/3320-126-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/3320-124-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3320-123-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/3320-122-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/3320-121-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/3320-120-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3320-119-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3320-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads