redline | 82b844c1e452640ba4bf4ef2ec6187d16673b3113af6a92ac684ca3ba6a82859

General

Target

God of War.exe
Size

1.2MB
MD5

484c3ab4ae2795dce03be108c01ea316
SHA1

459b95db4341640c1c249bce55e74a39e256e2d4
SHA256

82b844c1e452640ba4bf4ef2ec6187d16673b3113af6a92ac684ca3ba6a82859
SHA512

956ebe3f1ddfb4aa565ccddf00184f787592b22aa548cdc82391bf1233b8ccd707aa90e6b9e73b42b28a9ddc637ca3ce79e070319445d35bcec907ae30477059

Score

10^/10

redline infostealer

Malware Config

Extracted

Family

redline

C2

5.206.227.246:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/472-60-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/472-61-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/472-62-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/472-64-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/472-65-0x00000000023C0000-0x00000000026B0000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

God of War.exe

description pid process target process

PID 748 set thread context of 472 748 God of War.exe RegAsm.exe

description	pid	process	target process
PID 748 set thread context of 472	748	God of War.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

RegAsm.exe

pid process

472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
472 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 472 RegAsm.exe

pid	process
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe
472	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	472	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

God of War.exe

description	pid	process	target process
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe
PID 748 wrote to memory of 472	748	God of War.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\God of War.exe
"C:\Users\Admin\AppData\Local\Temp\God of War.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/472-59-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/472-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/472-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/472-62-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/472-64-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/472-65-0x00000000023C0000-0x00000000026B0000-memory.dmp

Filesize
2.9MB

Download
memory/748-54-0x0000000000C40000-0x0000000000D86000-memory.dmp

Filesize
1.3MB

Download
memory/748-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/748-56-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads