redline | ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae

General

Target

ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe
Size

656KB
MD5

3809f4a381c0f6da1c9bcecf01c66684
SHA1

5c157fd28ba9fe3a0841beb8ed912e550a67ce89
SHA256

ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae
SHA512

2bd22a895c8556644d773821a341901144bb8152a21cd3022ed88910515761baaf1281284db937534863491655a51c909eea458051ce10e42b94a92a641b0a5c

Score

10^/10

redline 09.11 infostealer

Malware Config

Extracted

Family

redline

Botnet

09.11

C2

185.215.113.17:7700

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4220-124-0x00000000023D0000-0x00000000023FE000-memory.dmp	family_redline
behavioral1/memory/4220-132-0x0000000002490000-0x00000000024BC000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

dipster.exe

pid process

4220 dipster.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4220	dipster.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dipster.exe

description pid process

Token: SeDebugPrivilege 4220 dipster.exe

description	pid	process
Token: SeDebugPrivilege	4220	dipster.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe

description	pid	process	target process
PID 3584 wrote to memory of 4220	3584	ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe	dipster.exe
PID 3584 wrote to memory of 4220	3584	ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe	dipster.exe
PID 3584 wrote to memory of 4220	3584	ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe	dipster.exe

C:\Users\Admin\AppData\Local\Temp\ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe
"C:\Users\Admin\AppData\Local\Temp\ced4db50a857760c1f68b6bf53026b63ef3611a7287aee75516963767e3413ae.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Roaming\warmded\dipster.exe
dipster.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\warmded\dipster.exe
MD5
60c1c744ea8ef33fecca02fc1ed86d87

SHA1
8c63cb28883d6816e13a4a1da3915233687fb33f

SHA256
1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc

SHA512
082e8176ab8648e3427f2fcbc6c472ea47091e14c9062214cc4f3a6b33336e18a8c2c5d48cda0be855b1f9e4d9c06ea90584ee5b8b6381b5cb01f474642b2ea0

Download Submit
C:\Users\Admin\AppData\Roaming\warmded\dipster.exe
MD5
60c1c744ea8ef33fecca02fc1ed86d87

SHA1
8c63cb28883d6816e13a4a1da3915233687fb33f

SHA256
1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc

SHA512
082e8176ab8648e3427f2fcbc6c472ea47091e14c9062214cc4f3a6b33336e18a8c2c5d48cda0be855b1f9e4d9c06ea90584ee5b8b6381b5cb01f474642b2ea0

Download Submit
memory/3584-119-0x00000000047F0000-0x00000000048BF000-memory.dmp

Filesize
828KB

Download
memory/3584-120-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3584-118-0x0000000002E5E000-0x0000000002ECA000-memory.dmp

Filesize
432KB

Download
memory/4220-128-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4220-130-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/4220-126-0x00000000020A0000-0x00000000020D9000-memory.dmp

Filesize
228KB

Download
memory/4220-125-0x0000000002070000-0x000000000209B000-memory.dmp

Filesize
172KB

Download
memory/4220-127-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4220-121-0x0000000000000000-mapping.dmp

Download
memory/4220-129-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/4220-124-0x00000000023D0000-0x00000000023FE000-memory.dmp

Filesize
184KB

Download
memory/4220-131-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4220-132-0x0000000002490000-0x00000000024BC000-memory.dmp

Filesize
176KB

Download
memory/4220-133-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4220-134-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/4220-135-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4220-136-0x0000000004B74000-0x0000000004B76000-memory.dmp

Filesize
8KB

Download
memory/4220-137-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/4220-138-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads