redline | 0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08

General

Target

0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
Size

279KB
MD5

201a75533e813778f5278f107505b384
SHA1

8523f543412b6f628011b748543f9de462229185
SHA256

0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08
SHA512

f141453a0c6ca377a32dd764f74e2b2d66ac0db8f839636975b6e16cbb2c4305793a457adb296c7bbc93d6468bf3f0996b648618c7b2aa424a1df6f66f9cd2e9

Score

10^/10

redline mastif agilenet discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Mastif

C2

81.91.178.186:19410

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2308-410-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/3728-118-0x0000000000700000-0x000000000074C000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe

description	pid	process	target process
PID 3728 set thread context of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exe0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe

pid	process
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
2308	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe

C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
"C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection google.com; Test-Connection yahoo.com; Test-Connection youtube.com; Test-Connection google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
2⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
2⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
C:\Users\Admin\AppData\Local\Temp\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe.log
MD5
808e884c00533a9eb0e13e64960d9c3a

SHA1
279d05181fc6179a12df1a669ff5d8b64c1380ae

SHA256
2f6a0aab99b1c228a6642f44f8992646ce84c5a2b3b9941b6cf1f2badf67bdd6

SHA512
9489bdb2ffdfeef3c52edcfe9b34c6688eba53eb86075e0564df1cd474723c86b5b5aedc12df1ff5fc12cf97bd1e3cf9701ff61dc4ce90155d70e9ccfd0fc299

Download Submit
memory/2308-412-0x0000000005510000-0x0000000005B16000-memory.dmp

Filesize
6.0MB

Download
memory/2308-416-0x0000000004FE0000-0x000000000502B000-memory.dmp

Filesize
300KB

Download
memory/2308-420-0x0000000006620000-0x0000000006670000-memory.dmp

Filesize
320KB

Download
memory/2308-419-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/2308-415-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

Filesize
248KB

Download
memory/2308-417-0x0000000004F00000-0x0000000005506000-memory.dmp

Filesize
6.0MB

Download
memory/2308-421-0x0000000006BA0000-0x0000000006D62000-memory.dmp

Filesize
1.8MB

Download
memory/2308-410-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2308-418-0x0000000005EF0000-0x0000000005F82000-memory.dmp

Filesize
584KB

Download
memory/2308-414-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/2308-413-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/2308-422-0x00000000072A0000-0x00000000077CC000-memory.dmp

Filesize
5.2MB

Download
memory/3728-407-0x0000000004F50000-0x0000000004F9C000-memory.dmp

Filesize
304KB

Download
memory/3728-118-0x0000000000700000-0x000000000074C000-memory.dmp

Filesize
304KB

Download
memory/3728-409-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

Filesize
304KB

Download
memory/3728-408-0x0000000005C80000-0x0000000005CB6000-memory.dmp

Filesize
216KB

Download
memory/4020-128-0x0000000008220000-0x0000000008570000-memory.dmp

Filesize
3.3MB

Download
memory/4020-149-0x000000000A910000-0x000000000AF88000-memory.dmp

Filesize
6.5MB

Download
memory/4020-144-0x0000000007343000-0x0000000007344000-memory.dmp

Filesize
4KB

Download
memory/4020-141-0x0000000009D90000-0x000000000A28E000-memory.dmp

Filesize
5.0MB

Download
memory/4020-140-0x0000000009780000-0x00000000097A2000-memory.dmp

Filesize
136KB

Download
memory/4020-139-0x0000000009540000-0x000000000955A000-memory.dmp

Filesize
104KB

Download
memory/4020-138-0x00000000097F0000-0x0000000009884000-memory.dmp

Filesize
592KB

Download
memory/4020-131-0x00000000089A0000-0x0000000008A16000-memory.dmp

Filesize
472KB

Download
memory/4020-130-0x00000000086B0000-0x00000000086FB000-memory.dmp

Filesize
300KB

Download
memory/4020-129-0x00000000074B0000-0x00000000074CC000-memory.dmp

Filesize
112KB

Download
memory/4020-127-0x0000000008090000-0x00000000080F6000-memory.dmp

Filesize
408KB

Download
memory/4020-126-0x00000000078F0000-0x0000000007956000-memory.dmp

Filesize
408KB

Download
memory/4020-125-0x0000000007750000-0x0000000007772000-memory.dmp

Filesize
136KB

Download
memory/4020-124-0x0000000007342000-0x0000000007343000-memory.dmp

Filesize
4KB

Download
memory/4020-123-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/4020-122-0x0000000007980000-0x0000000007FA8000-memory.dmp

Filesize
6.2MB

Download
memory/4020-121-0x0000000007150000-0x0000000007186000-memory.dmp

Filesize
216KB

Download

description	pid	process	target process
PID 3728 wrote to memory of 4020	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	powershell.exe
PID 3728 wrote to memory of 4020	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	powershell.exe
PID 3728 wrote to memory of 4020	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	powershell.exe
PID 3728 wrote to memory of 1584	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 1584	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 1584	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 1476	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 1476	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 1476	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe
PID 3728 wrote to memory of 2308	3728	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe	0ebf44ed5f0614c08d4e5f25fb08cd33fa5ec7baa6a5c9c4c19d41dbf3e9df08.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads