redline | ebf527cd61c0b4250751c8263d858406b4aff2a852fd6a05fa262a355c5a6269

General

Target

200e0067b6404714987c1512cb35afb9.exe
Size

41KB
MD5

200e0067b6404714987c1512cb35afb9
SHA1

cb25d2295b34fc7b83e1689afb665d685c1d9871
SHA256

ebf527cd61c0b4250751c8263d858406b4aff2a852fd6a05fa262a355c5a6269
SHA512

f05c6dc341a8c07054bbe2eed3c3f4a358562dd124dc8f549442ae1cc5a169677f0f5edaf81ecc1516239017601b2a8577a3fbcac1165be80bf75ccdc600fdbe

Score

10^/10

redline build1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Build1

C2

193.203.203.82:23108

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1996-64-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1996-66-0x0000000000418D2E-mapping.dmp	family_redline
behavioral1/memory/1996-65-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1996-67-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe

description pid process target process

PID 776 set thread context of 1996 776 200e0067b6404714987c1512cb35afb9.exe 200e0067b6404714987c1512cb35afb9.exe

description	pid	process	target process
PID 776 set thread context of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

200e0067b6404714987c1512cb35afb9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	200e0067b6404714987c1512cb35afb9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	200e0067b6404714987c1512cb35afb9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	200e0067b6404714987c1512cb35afb9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe

pid process

776 200e0067b6404714987c1512cb35afb9.exe
776 200e0067b6404714987c1512cb35afb9.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe200e0067b6404714987c1512cb35afb9.exe

description pid process

Token: SeDebugPrivilege 776 200e0067b6404714987c1512cb35afb9.exe
Token: SeDebugPrivilege 1996 200e0067b6404714987c1512cb35afb9.exe

pid	process
776	200e0067b6404714987c1512cb35afb9.exe
776	200e0067b6404714987c1512cb35afb9.exe

description	pid	process
Token: SeDebugPrivilege	776	200e0067b6404714987c1512cb35afb9.exe
Token: SeDebugPrivilege	1996	200e0067b6404714987c1512cb35afb9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe

description	pid	process	target process
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 776 wrote to memory of 1996	776	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe

C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
"C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-55-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/776-57-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/776-58-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/776-59-0x00000000049F0000-0x0000000004A34000-memory.dmp

Filesize
272KB

Download
memory/776-60-0x0000000000A40000-0x0000000000A58000-memory.dmp

Filesize
96KB

Download
memory/1996-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-66-0x0000000000418D2E-mapping.dmp

Download
memory/1996-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1996-69-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads