redline | 3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36

General

Target

build.exe
Size

1.7MB
MD5

618ea7b0e2a26f3c6db0a8664c63fc6f
SHA1

f2d41df1d55178b5f7de0512912159f2663296cd
SHA256

3215decffc40b3257ebeb9b6e5c81c45e298a020f33ef90c9418c153c6071b36
SHA512

5bda8aef91d4ac0a4eb09427b996b8fb0792297991af8a2ddf563676ae14a724eed77e1b4dd0573c9abc094604c172b1a5a2587ae33814105afc7fc87fc872a5

Score

10^/10

redline agilenet discovery evasion infostealer persistence spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1036-217-0x0000000000418EEA-mapping.dmp	family_redline
behavioral2/memory/1036-227-0x0000000005080000-0x0000000005686000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1634428368.exe1634428368.exe

pid process

872 1634428368.exe
1036 1634428368.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
872	1634428368.exe
1036	1634428368.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1634428368.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\1634428368.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\1634428368.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Registry.exe"	build.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

1634428368.exe

description pid process target process

PID 872 set thread context of 1036 872 1634428368.exe 1634428368.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 23 Go-http-client/1.1

description	pid	process	target process
PID 872 set thread context of 1036	872	1634428368.exe	1634428368.exe

description	flow	ioc
HTTP User-Agent header	23	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exe1634428368.exe1634428368.exe

pid	process
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
872	1634428368.exe
872	1634428368.exe
1036	1634428368.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

3320 cmd.exe

pid	process
3320	cmd.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

powershell.exepowershell.exe1634428368.exe1634428368.exe

description	pid	process
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeIncreaseQuotaPrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeIncreaseQuotaPrivilege	3932	powershell.exe
Token: SeSecurityPrivilege	3932	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3932	powershell.exe
Token: SeLoadDriverPrivilege	3932	powershell.exe
Token: SeLoadDriverPrivilege	3612	powershell.exe
Token: SeSystemProfilePrivilege	3932	powershell.exe
Token: SeSystemProfilePrivilege	3612	powershell.exe
Token: SeSystemtimePrivilege	3932	powershell.exe
Token: SeSystemtimePrivilege	3612	powershell.exe
Token: SeProfSingleProcessPrivilege	3932	powershell.exe
Token: SeIncBasePriorityPrivilege	3932	powershell.exe
Token: SeProfSingleProcessPrivilege	3612	powershell.exe
Token: SeCreatePagefilePrivilege	3932	powershell.exe
Token: SeIncBasePriorityPrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3932	powershell.exe
Token: SeCreatePagefilePrivilege	3612	powershell.exe
Token: SeRestorePrivilege	3932	powershell.exe
Token: SeShutdownPrivilege	3932	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeRestorePrivilege	3612	powershell.exe
Token: SeSystemEnvironmentPrivilege	3932	powershell.exe
Token: SeShutdownPrivilege	3612	powershell.exe
Token: SeRemoteShutdownPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeUndockPrivilege	3932	powershell.exe
Token: SeSystemEnvironmentPrivilege	3612	powershell.exe
Token: SeManageVolumePrivilege	3932	powershell.exe
Token: 33	3932	powershell.exe
Token: SeRemoteShutdownPrivilege	3612	powershell.exe
Token: 34	3932	powershell.exe
Token: SeUndockPrivilege	3612	powershell.exe
Token: 35	3932	powershell.exe
Token: 36	3932	powershell.exe
Token: SeManageVolumePrivilege	3612	powershell.exe
Token: 33	3612	powershell.exe
Token: 34	3612	powershell.exe
Token: 35	3612	powershell.exe
Token: 36	3612	powershell.exe
Token: SeDebugPrivilege	872	1634428368.exe
Token: SeDebugPrivilege	1036	1634428368.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

build.execmd.execmd.execmd.execmd.execmd.exe1634428368.exe

description	pid	process	target process
PID 2716 wrote to memory of 3592	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 3592	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 3320	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 3320	2716	build.exe	cmd.exe
PID 3592 wrote to memory of 3612	3592	cmd.exe	powershell.exe
PID 3592 wrote to memory of 3612	3592	cmd.exe	powershell.exe
PID 2716 wrote to memory of 772	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 772	2716	build.exe	cmd.exe
PID 772 wrote to memory of 592	772	cmd.exe	reg.exe
PID 772 wrote to memory of 592	772	cmd.exe	reg.exe
PID 2716 wrote to memory of 3324	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 3324	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 2664	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 2664	2716	build.exe	cmd.exe
PID 3324 wrote to memory of 3500	3324	cmd.exe	attrib.exe
PID 3324 wrote to memory of 3500	3324	cmd.exe	attrib.exe
PID 2664 wrote to memory of 3932	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 3932	2664	cmd.exe	powershell.exe
PID 2716 wrote to memory of 3436	2716	build.exe	cmd.exe
PID 2716 wrote to memory of 3436	2716	build.exe	cmd.exe
PID 3436 wrote to memory of 872	3436	cmd.exe	1634428368.exe
PID 3436 wrote to memory of 872	3436	cmd.exe	1634428368.exe
PID 3436 wrote to memory of 872	3436	cmd.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe
PID 872 wrote to memory of 1036	872	1634428368.exe	1634428368.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3500 attrib.exe

pid	process
3500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\cmd.exe
cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\cmd.exe
cmd /Q /C move /Y C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\Microsoft\Registry.exe
2⤵
- Suspicious behavior: RenamesItself
PID:3320

C:\Windows\system32\cmd.exe
cmd /Q /C reg add "HKCU\Software\Networking5 Servic1e" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Networking5 Servic1e" /f
3⤵
PID:592

C:\Windows\system32\cmd.exe
cmd /C "attrib +S +H C:\Users\Admin\AppData\Roaming\Microsoft\Registry.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\system32\attrib.exe
attrib +S +H C:\Users\Admin\AppData\Roaming\Microsoft\Registry.exe
3⤵
- Views/modifies file attributes
PID:3500

C:\Windows\system32\cmd.exe
cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Admin\AppData\Local\Temp\1634428368.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\1634428368.exe
C:\Users\Admin\AppData\Local\Temp\1634428368.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\1634428368.exe
C:\Users\Admin\AppData\Local\Temp\1634428368.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1634428368.exe.log
MD5
daa436d058b25bdde9e2d6fe53c6ccf6

SHA1
3fc5d1eab28db05865915d8f6d9ecf85d9cc1d9e

SHA256
afb0ed8659b214fe4251a87a1c0a362c123363497fbd50737c1ae36a9376c4cd

SHA512
84f13582070ae4a3a9bb5e4b29620e659c258ab282e43e9bfa50528c08aae875d8c33cf3647fbb1253102af39b89f3b97f316e62f544355cc9c379e04fba960a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d951bdc4b32e06f2fb10fcfe7475014b

SHA1
ab38f1e01417011fcbcf4a67036430062dde87ec

SHA256
009d3afd246e158c7cc494352447164320080c3ebb0af88caa8e83f0bb29de2b

SHA512
9e71dd8f731b97cb20248e39435559aa598d93632a5ae5e0b3c5ca5c11bd9aa9ce16ab10f4ff9061901b18b2423e5a9e2ad66ef743d295350d20c538cc575701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634428368.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634428368.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634428368.exe
MD5
093cdb435c4003e1a7d4269e332730a1

SHA1
c8cff0231c22d5285a73f03b7624b4c60d79b820

SHA256
bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

SHA512
9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Download Submit
memory/592-124-0x0000000000000000-mapping.dmp

Download
memory/772-118-0x0000000000000000-mapping.dmp

Download
memory/872-206-0x0000000000000000-mapping.dmp

Download
memory/872-211-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1036-227-0x0000000005080000-0x0000000005686000-memory.dmp

Filesize
6.0MB

Download
memory/1036-217-0x0000000000418EEA-mapping.dmp

Download
memory/2664-127-0x0000000000000000-mapping.dmp

Download
memory/3320-116-0x0000000000000000-mapping.dmp

Download
memory/3324-126-0x0000000000000000-mapping.dmp

Download
memory/3436-205-0x0000000000000000-mapping.dmp

Download
memory/3500-132-0x0000000000000000-mapping.dmp

Download
memory/3592-115-0x0000000000000000-mapping.dmp

Download
memory/3612-128-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-140-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-117-0x0000000000000000-mapping.dmp

Download
memory/3612-137-0x000001411BD53000-0x000001411BD55000-memory.dmp

Filesize
8KB

Download
memory/3612-119-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-135-0x000001411BD50000-0x000001411BD52000-memory.dmp

Filesize
8KB

Download
memory/3612-120-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-157-0x000001411BD56000-0x000001411BD58000-memory.dmp

Filesize
8KB

Download
memory/3612-121-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-122-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-123-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-125-0x000001411BD10000-0x000001411BD11000-memory.dmp

Filesize
4KB

Download
memory/3612-129-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-130-0x0000014119F20000-0x0000014119F22000-memory.dmp

Filesize
8KB

Download
memory/3612-203-0x000001411BD58000-0x000001411BD59000-memory.dmp

Filesize
4KB

Download
memory/3612-131-0x0000014135FF0000-0x0000014135FF1000-memory.dmp

Filesize
4KB

Download
memory/3932-139-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-158-0x0000024CA7CF6000-0x0000024CA7CF8000-memory.dmp

Filesize
8KB

Download
memory/3932-133-0x0000000000000000-mapping.dmp

Download
memory/3932-156-0x0000024CA7CF3000-0x0000024CA7CF5000-memory.dmp

Filesize
8KB

Download
memory/3932-204-0x0000024CA7CF8000-0x0000024CA7CF9000-memory.dmp

Filesize
4KB

Download
memory/3932-155-0x0000024CA7CF0000-0x0000024CA7CF2000-memory.dmp

Filesize
8KB

Download
memory/3932-149-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-147-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-146-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-145-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-144-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-134-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-141-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-136-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download
memory/3932-138-0x0000024CA6340000-0x0000024CA6342000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads