redline | 16f4a3fc69b8b2b64db781127f898729b4ea712c835a3ffc8b25021106f8245c

General

Target

16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe
Size

4.4MB
MD5

594d7823440e565b0f1379be8f218e33
SHA1

07b3e8fc1d21fbbc13f7271d8eda4794ffa71861
SHA256

16f4a3fc69b8b2b64db781127f898729b4ea712c835a3ffc8b25021106f8245c
SHA512

b746afcbaad590c7fefe6c74c4ca076d97a74a91907272815f5be289ff1109ce257999d33600b5ec94b8b121305913cb10906c3f066bbbbdc2d7f1601bb9eca9

Score

10^/10

redline filinnn1 evasion infostealer spyware trojan

Malware Config

Extracted

Family

redline

Botnet

filinnn1

C2

5.45.77.29:41494

Attributes

auth_value
da347df57c88b125ede510dbe7fcc0f4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-61-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1700-66-0x00000000000ABC2E-mapping.dmp	family_redline
behavioral1/memory/1700-68-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1700-67-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe

description pid process target process

PID 1560 set thread context of 1700 1560 16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AppLaunch.exe

pid process

1700 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1700 AppLaunch.exe

description	pid	process	target process
PID 1560 set thread context of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe

pid	process
1700	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1700	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe

description	pid	process	target process
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe
PID 1560 wrote to memory of 1700	1560	16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe
"C:\Users\Admin\AppData\Local\Temp\16f4a3fc69b8b2b64db781127f898729b4ea712c835a3.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1560-54-0x0000000000400000-0x0000000000D37000-memory.dmp

Filesize
9.2MB

Download
memory/1560-58-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1700-59-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1700-61-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1700-66-0x00000000000ABC2E-mapping.dmp

Download
memory/1700-68-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1700-67-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads