redline | f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d

General

Target

f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe
Size

5.9MB
MD5

2fe55f16da6348999312ef5ec21ae20d
SHA1

112bb1adce4ff9c427f61acbad6129794f8b213e
SHA256

f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d
SHA512

12747dd0fb27ace42c58f9412099d8fb33e73a24a1c1a86ebab96c22aef9f11a32320b8eca61fa9197ec8476a358ef674e067151d163b2a96f92085cf3d72724

Score

10^/10

redline 444 infostealer spyware vmprotect

Malware Config

Extracted

Family

redline

Botnet

444

C2

31.131.254.105:1498

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3988-127-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/3988-132-0x0000000000419326-mapping.dmp	family_redline

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2716-123-0x0000000000930000-0x00000000013E6000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe

pid process

2716 f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe

description	pid	process	target process
PID 2716 set thread context of 3988	2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exeRegSvcs.exe

pid	process
2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe
2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe
2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe
2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe
3988	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3988 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3988	RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe

description	pid	process	target process
PID 2716 wrote to memory of 3988	2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe	RegSvcs.exe
PID 2716 wrote to memory of 3988	2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe	RegSvcs.exe
PID 2716 wrote to memory of 3988	2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe	RegSvcs.exe
PID 2716 wrote to memory of 3988	2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe	RegSvcs.exe
PID 2716 wrote to memory of 3988	2716	f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe
"C:\Users\Admin\AppData\Local\Temp\f441a110f19b615e5c5fcf95ad57f96c418c2b5b3ad2565ff3863442457b422d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2716-115-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2716-116-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2716-117-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2716-118-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2716-119-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2716-120-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/2716-122-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/2716-123-0x0000000000930000-0x00000000013E6000-memory.dmp

Filesize
10.7MB

Download
memory/2716-126-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/3988-127-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3988-132-0x0000000000419326-mapping.dmp

Download
memory/3988-133-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3988-135-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3988-136-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/3988-137-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3988-138-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3988-139-0x0000000005420000-0x0000000005A26000-memory.dmp

Filesize
6.0MB

Download
memory/3988-140-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3988-141-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/3988-142-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3988-143-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3988-144-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/3988-145-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/3988-146-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/3988-147-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/3988-148-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads