redline | 6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9

General

Target

6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe
Size

552KB
MD5

c986e3f232dd71ac91e33cbbddf25c0a
SHA1

c0d65b2188e25c1e62de1d8bd5c4dc67f49ef248
SHA256

6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9
SHA512

e36e7e15e6e8c266e168e9570f8d08082ca8dd2d85cb6edbf5eb61ca63dacfe1db92eed9724346d3c39effa51d14dc65a23c767a4a184447032a19241482dd21

Score

10^/10

redline 456390 robot discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Robot

C2

178.238.8.47:36439

Extracted

Family

redline

Botnet

456390

C2

45.77.80.187:15300

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/808-131-0x00000000022E0000-0x000000000230E000-memory.dmp	family_redline
behavioral1/memory/808-136-0x00000000025A0000-0x00000000025CC000-memory.dmp	family_redline
behavioral1/memory/2876-137-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/2876-138-0x000000000041A2AE-mapping.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

Netflix.exeRobot_20.exe

pid process

1588 Netflix.exe
808 Robot_20.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Netflix.exe

description pid process target process

PID 1588 set thread context of 2876 1588 Netflix.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exeRobot_20.exe

pid process

2876 RegAsm.exe
808 Robot_20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Robot_20.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 808 Robot_20.exe
Token: SeDebugPrivilege 2876 RegAsm.exe

pid	process
1588	Netflix.exe
808	Robot_20.exe

description	pid	process	target process
PID 1588 set thread context of 2876	1588	Netflix.exe	RegAsm.exe

pid	process
2876	RegAsm.exe
808	Robot_20.exe

description	pid	process
Token: SeDebugPrivilege	808	Robot_20.exe
Token: SeDebugPrivilege	2876	RegAsm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exeNetflix.exe

description	pid	process	target process
PID 3576 wrote to memory of 1588	3576	6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe	Netflix.exe
PID 3576 wrote to memory of 1588	3576	6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe	Netflix.exe
PID 3576 wrote to memory of 808	3576	6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe	Robot_20.exe
PID 3576 wrote to memory of 808	3576	6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe	Robot_20.exe
PID 3576 wrote to memory of 808	3576	6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe	Robot_20.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe
PID 1588 wrote to memory of 2876	1588	Netflix.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe
"C:\Users\Admin\AppData\Local\Temp\6c251106b903b525e3ffa3d0ac5fd47704a0970841f4a493d15fb374ee35f0e9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\Netflix.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
"C:\Users\Admin\AppData\Local\Temp\Robot_20.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Netflix.exe
MD5
286b2514208110bab3196a61039fa4dd

SHA1
9d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7

SHA256
9c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe

SHA512
92382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Netflix.exe
MD5
286b2514208110bab3196a61039fa4dd

SHA1
9d6bb9c38fd9b923a23f83c1e7dc0d8dca3552a7

SHA256
9c49f49218eaaae954e25937c328e7404dd1d61ca13b44b00eb2500034492bfe

SHA512
92382bde2186e392dac8340d2fb89a3b8ae7832a783eda344f16970b743f005dbc6626ba59ffc4b875ab8f74bb89f89144a0380b0b44ed7f996e147371958288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
MD5
9854e0dcb0cf68a1996acd5b801f1e4b

SHA1
883e60ef57ac00c3da29f3e186c2df7bd6acc7b3

SHA256
a5ba452a894d5cb2270dfe4ba6cae0df50f2b590bec3df5ac409678c2c6fb938

SHA512
a63a74d11cfd9e675b5437365acf11d02f958c71acdfa1bf3b5bf3936806d97c3784e121010c587c87d9b71ed2ff497fe7be314113996f025048e68fcac1bd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Robot_20.exe
MD5
9854e0dcb0cf68a1996acd5b801f1e4b

SHA1
883e60ef57ac00c3da29f3e186c2df7bd6acc7b3

SHA256
a5ba452a894d5cb2270dfe4ba6cae0df50f2b590bec3df5ac409678c2c6fb938

SHA512
a63a74d11cfd9e675b5437365acf11d02f958c71acdfa1bf3b5bf3936806d97c3784e121010c587c87d9b71ed2ff497fe7be314113996f025048e68fcac1bd33

Download Submit
memory/808-134-0x0000000004D92000-0x0000000004D93000-memory.dmp

Filesize
4KB

Download
memory/808-156-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/808-164-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/808-163-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/808-125-0x00000000021B0000-0x00000000021DB000-memory.dmp

Filesize
172KB

Download
memory/808-126-0x00000000021E0000-0x0000000002219000-memory.dmp

Filesize
228KB

Download
memory/808-127-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/808-157-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/808-122-0x0000000000000000-mapping.dmp

Download
memory/808-141-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/808-131-0x00000000022E0000-0x000000000230E000-memory.dmp

Filesize
184KB

Download
memory/808-132-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/808-133-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/808-135-0x0000000004D93000-0x0000000004D94000-memory.dmp

Filesize
4KB

Download
memory/808-154-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/808-136-0x00000000025A0000-0x00000000025CC000-memory.dmp

Filesize
176KB

Download
memory/808-147-0x0000000004D94000-0x0000000004D96000-memory.dmp

Filesize
8KB

Download
memory/808-143-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1588-129-0x000000001D0F0000-0x000000001D0F1000-memory.dmp

Filesize
4KB

Download
memory/1588-130-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1588-120-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1588-117-0x0000000000000000-mapping.dmp

Download
memory/1588-128-0x0000000001100000-0x0000000001102000-memory.dmp

Filesize
8KB

Download
memory/2876-148-0x0000000005150000-0x0000000005756000-memory.dmp

Filesize
6.0MB

Download
memory/2876-151-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2876-155-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2876-150-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2876-138-0x000000000041A2AE-mapping.dmp

Download
memory/2876-162-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/2876-137-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2876-145-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3576-115-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads