redline | eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24

General

Target

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
Size

1024KB
MD5

77754f3a52aa773c9d3a7800e6ef5175
SHA1

35b044fd8435b6a886f5ad69938b4d5f60c92069
SHA256

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24
SHA512

14a3d73698ea2872508e9ed2fcc62aea016a56da096bd5b24cfed3e85ccf771c794a69bdabf48c26d6f1eddb34be04883ad7099a14b60ec36cb879968717d128

Score

10^/10

redline 10 infostealer

Malware Config

Extracted

Family

redline

Botnet

10

C2

195.161.41.203:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/212-143-0x0000000000540000-0x0000000000570000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

rundll32.comrundll32.com

pid process

1028 rundll32.com
1132 rundll32.com
Loads dropped DLL 1 IoCs

Processes:

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe

pid process

4144 eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.com

description pid process target process

PID 1132 set thread context of 212 1132 rundll32.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3604 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1524 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 212 RegAsm.exe
Token: SeDebugPrivilege 3604 taskkill.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.comrundll32.com

pid process

1028 rundll32.com
1028 rundll32.com
1028 rundll32.com
1132 rundll32.com
1132 rundll32.com
1132 rundll32.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

rundll32.comrundll32.com

pid process

1028 rundll32.com
1028 rundll32.com
1028 rundll32.com
1132 rundll32.com
1132 rundll32.com
1132 rundll32.com

pid	process
1028	rundll32.com
1132	rundll32.com

pid	process
4144	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe

description	pid	process	target process
PID 1132 set thread context of 212	1132	rundll32.com	RegAsm.exe

pid	process
3604	taskkill.exe

pid	process
1524	PING.EXE

description	pid	process
Token: SeDebugPrivilege	212	RegAsm.exe
Token: SeDebugPrivilege	3604	taskkill.exe

pid	process
1028	rundll32.com
1028	rundll32.com
1028	rundll32.com
1132	rundll32.com
1132	rundll32.com
1132	rundll32.com

pid	process
1028	rundll32.com
1028	rundll32.com
1028	rundll32.com
1132	rundll32.com
1132	rundll32.com
1132	rundll32.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.execmd.exerundll32.comrundll32.com

description	pid	process	target process
PID 4144 wrote to memory of 4328	4144	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 4144 wrote to memory of 4328	4144	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 4144 wrote to memory of 4328	4144	eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe	cmd.exe
PID 4328 wrote to memory of 4408	4328	cmd.exe	certutil.exe
PID 4328 wrote to memory of 4408	4328	cmd.exe	certutil.exe
PID 4328 wrote to memory of 4408	4328	cmd.exe	certutil.exe
PID 4328 wrote to memory of 1028	4328	cmd.exe	rundll32.com
PID 4328 wrote to memory of 1028	4328	cmd.exe	rundll32.com
PID 4328 wrote to memory of 1028	4328	cmd.exe	rundll32.com
PID 1028 wrote to memory of 1132	1028	rundll32.com	rundll32.com
PID 1028 wrote to memory of 1132	1028	rundll32.com	rundll32.com
PID 1028 wrote to memory of 1132	1028	rundll32.com	rundll32.com
PID 4328 wrote to memory of 1524	4328	cmd.exe	PING.EXE
PID 4328 wrote to memory of 1524	4328	cmd.exe	PING.EXE
PID 4328 wrote to memory of 1524	4328	cmd.exe	PING.EXE
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe
PID 1132 wrote to memory of 212	1132	rundll32.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe
"C:\Users\Admin\AppData\Local\Temp\eb207112f14ba9ba8bd62500f5a10f07a15af70d6c4fbc1d6ee0b9e14b685c24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\cmd.exe
"cmd" /c <nul set /p ="M" > rundll32.com & type xWYX.com >> rundll32.com & del xWYX.com & certutil -decode Ulu.com H & rundll32.com H & ping 127.0.0.1 -n 2 > nul & del Ulu.com & del H
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\certutil.exe
certutil -decode Ulu.com H
3⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\rundll32.com
rundll32.com H
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\rundll32.com
C:\Users\Admin\AppData\Local\Temp\rundll32.com H
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 212 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4872

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 212
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:4852

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H
Filesize
355KB

MD5
1a0d0b76fc907949660c8a9647a370c5

SHA1
8b993fda4f18d24fd0327c62b264b941054a5e9c

SHA256
c55f427b3a4be77726fa75009e2da71ef10e559eb8fbd26dde4b5ff760c03819

SHA512
cfb770790d381a4a9e824ffac0da2da2157a9f7d3f50763cdda4e40593bbb95196949401c14e0ba96a000c3aa6e115f5ef728d5e7f63acd522cb011fca5cb3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ulu.com
Filesize
488KB

MD5
3998a649753fd0b941d5aa7ebbb6449d

SHA1
ea76fac1bb3dc5421d46d7acb24000bac9207868

SHA256
fc947384ac807e132ed445e7a51e91317bcaa190b1411f585aa2feff93611e2b

SHA512
257bcfecf65b20d0c61267208eb531185a47ccf045f7929ce80199908ef7017dc7ba901349a015fd9c6aac38deed8e3077b9a0e847fba097003910d2c38ce8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrDZ.com
Filesize
163KB

MD5
a671804ec84cb10f11b17ec84a16b138

SHA1
a95cf082f916f3494388e4011d5f81ec7cacb0aa

SHA256
c28657fb7b3c4ef32ebfea72277515e5a7198f001fb367701f71481986fccafb

SHA512
dd769c0f8e471a7d4b85d5b3fa92e2267135b84afc6d3627d5a691b54a2cec18eac5fa267971637e9670287947d3b6e1858238b21acbd0dc1f05d769187a37df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbD7C8.tmp\dRjjtFp.dll
Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWYX.com
Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
memory/212-145-0x0000000016B10000-0x0000000016B22000-memory.dmp

Filesize
72KB

Download
memory/212-147-0x0000000016E30000-0x0000000016F3A000-memory.dmp

Filesize
1.0MB

Download
memory/212-146-0x0000000016B90000-0x0000000016BCC000-memory.dmp

Filesize
240KB

Download
memory/212-144-0x00000000171B0000-0x00000000177C8000-memory.dmp

Filesize
6.1MB

Download
memory/212-143-0x0000000000540000-0x0000000000570000-memory.dmp

Filesize
192KB

Download
memory/212-142-0x0000000000000000-mapping.dmp

Download
memory/1028-135-0x0000000000000000-mapping.dmp

Download
memory/1132-138-0x0000000000000000-mapping.dmp

Download
memory/1524-141-0x0000000000000000-mapping.dmp

Download
memory/3604-149-0x0000000000000000-mapping.dmp

Download
memory/4328-131-0x0000000000000000-mapping.dmp

Download
memory/4408-133-0x0000000000000000-mapping.dmp

Download
memory/4852-150-0x0000000000000000-mapping.dmp

Download
memory/4872-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing