redline | ebf527cd61c0b4250751c8263d858406b4aff2a852fd6a05fa262a355c5a6269

General

Target

200e0067b6404714987c1512cb35afb9.exe
Size

41KB
MD5

200e0067b6404714987c1512cb35afb9
SHA1

cb25d2295b34fc7b83e1689afb665d685c1d9871
SHA256

ebf527cd61c0b4250751c8263d858406b4aff2a852fd6a05fa262a355c5a6269
SHA512

f05c6dc341a8c07054bbe2eed3c3f4a358562dd124dc8f549442ae1cc5a169677f0f5edaf81ecc1516239017601b2a8577a3fbcac1165be80bf75ccdc600fdbe

Score

10^/10

redline build1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Build1

C2

193.203.203.82:23108

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/652-126-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/652-127-0x0000000000418D2E-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe

description pid process target process

PID 2608 set thread context of 652 2608 200e0067b6404714987c1512cb35afb9.exe 200e0067b6404714987c1512cb35afb9.exe

description	pid	process	target process
PID 2608 set thread context of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe

pid	process
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe
2608	200e0067b6404714987c1512cb35afb9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe200e0067b6404714987c1512cb35afb9.exe

description pid process

Token: SeDebugPrivilege 2608 200e0067b6404714987c1512cb35afb9.exe
Token: SeDebugPrivilege 652 200e0067b6404714987c1512cb35afb9.exe

description	pid	process
Token: SeDebugPrivilege	2608	200e0067b6404714987c1512cb35afb9.exe
Token: SeDebugPrivilege	652	200e0067b6404714987c1512cb35afb9.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

200e0067b6404714987c1512cb35afb9.exe

description	pid	process	target process
PID 2608 wrote to memory of 512	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 512	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 512	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 588	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 588	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 588	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe
PID 2608 wrote to memory of 652	2608	200e0067b6404714987c1512cb35afb9.exe	200e0067b6404714987c1512cb35afb9.exe

C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
"C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
2⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
2⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
C:\Users\Admin\AppData\Local\Temp\200e0067b6404714987c1512cb35afb9.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\200e0067b6404714987c1512cb35afb9.exe.log
MD5
33d8c4dbf3e10c8fca4b7aa6214b2ecf

SHA1
e71162077eee13ddef8455d5cc24651bbb651306

SHA256
c8b10327c45c7b59598fec754c01895154d794eb3fc7b2496b32b05e4b0cc372

SHA512
1d92c1a0b8cb3fa3e66c048613161128a00ae76a35fddf6fe241148680ad0d2bb1e1d09d77ed3054423b7fc0ca8d8301f922ae96e0c7f6fbd38fbfafc397a262

Download Submit
memory/652-136-0x0000000005660000-0x0000000005C66000-memory.dmp

Filesize
6.0MB

Download
memory/652-135-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/652-131-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/652-142-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/652-140-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/652-138-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/652-126-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/652-127-0x0000000000418D2E-mapping.dmp

Download
memory/652-134-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/652-143-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/652-133-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/652-132-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2608-122-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/2608-121-0x0000000004D40000-0x0000000004D84000-memory.dmp

Filesize
272KB

Download
memory/2608-118-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2608-125-0x0000000005AA0000-0x0000000005AB8000-memory.dmp

Filesize
96KB

Download
memory/2608-124-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/2608-123-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2608-120-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads