redline | f919ca0a5c6bff30ebed640b411b8a1a73350497fdd6087e1a24f7d9648724bf

General

Target

Installer.exe
Size

586.3MB
MD5

56cae4e535bb14d5b699a1f3b3a372f0
SHA1

8e085dc03bc975c10ebe2076962c17f8bd369e98
SHA256

f919ca0a5c6bff30ebed640b411b8a1a73350497fdd6087e1a24f7d9648724bf
SHA512

37e9233427fd3c990d637e406c58430319d6c6d10798ebdff25e81dccca32e5620e6dca44937adea7263888562e02c2488f04e2578e4b70bdf08a4b8053ba6fd

Score

10^/10

redline 777 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

777

C2

89.22.227.140:31288

Attributes

auth_value
e42115cf07e73321acdde5e388b0aef9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/844-59-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/844-60-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/844-62-0x000000000041AD7A-mapping.dmp	family_redline
behavioral1/memory/844-64-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/844-63-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/844-68-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/844-71-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Installer.exe

description pid process target process

PID 1540 set thread context of 844 1540 Installer.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

844 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Installer.exevbc.exe

description pid process

Token: SeDebugPrivilege 1540 Installer.exe
Token: SeDebugPrivilege 844 vbc.exe

description	pid	process	target process
PID 1540 set thread context of 844	1540	Installer.exe	vbc.exe

pid	process
844	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1540	Installer.exe
Token: SeDebugPrivilege	844	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Installer.exe

description	pid	process	target process
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe
PID 1540 wrote to memory of 844	1540	Installer.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-56-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-57-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-59-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-60-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-62-0x000000000041AD7A-mapping.dmp

Download
memory/844-64-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-63-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-68-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/844-71-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1540-54-0x0000000000F30000-0x0000000000F90000-memory.dmp

Filesize
384KB

Download
memory/1540-55-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing