redline | bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613

General

Target

bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
Size

396KB
MD5

093cdb435c4003e1a7d4269e332730a1
SHA1

c8cff0231c22d5285a73f03b7624b4c60d79b820
SHA256

bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613
SHA512

9df903c6e990c2f253f82aa9f618f9cfbdead034d34a4cbfdf1fb08f36ceaeb65041faa1fbf17fee972d15a577269aec400cc9ce948041cb7bc77cc04d39ffb8

Score

10^/10

redline infostealer

Malware Config

Extracted

Family

redline

C2

135.181.245.89:24368

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2616-126-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/2616-125-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

description	pid	process	target process
PID 2580 set thread context of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

pid	process
2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

description pid process

Token: SeDebugPrivilege 2580 bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

description	pid	process
Token: SeDebugPrivilege	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

description	pid	process	target process
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
PID 2580 wrote to memory of 2616	2580	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe	bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe

C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
"C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
C:\Users\Admin\AppData\Local\Temp\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe
2⤵
PID:2616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bff2a3fa0b7e711b342901d3e67e8cee7d08dda4fc7b8809ab5e6c5858b76613.exe.log
MD5
daa436d058b25bdde9e2d6fe53c6ccf6

SHA1
3fc5d1eab28db05865915d8f6d9ecf85d9cc1d9e

SHA256
afb0ed8659b214fe4251a87a1c0a362c123363497fbd50737c1ae36a9376c4cd

SHA512
84f13582070ae4a3a9bb5e4b29620e659c258ab282e43e9bfa50528c08aae875d8c33cf3647fbb1253102af39b89f3b97f316e62f544355cc9c379e04fba960a

Download Submit
memory/2580-120-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2580-121-0x00000000058B0000-0x0000000005901000-memory.dmp

Filesize
324KB

Download
memory/2580-122-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/2580-123-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/2580-124-0x0000000005A80000-0x0000000005A98000-memory.dmp

Filesize
96KB

Download
memory/2580-118-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2616-126-0x0000000000418EEA-mapping.dmp

Download
memory/2616-125-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-130-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/2616-131-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2616-132-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/2616-133-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2616-134-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/2616-135-0x0000000005050000-0x0000000005656000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads