redline | f919ca0a5c6bff30ebed640b411b8a1a73350497fdd6087e1a24f7d9648724bf

General

Target

Installer.exe
Size

586.3MB
MD5

56cae4e535bb14d5b699a1f3b3a372f0
SHA1

8e085dc03bc975c10ebe2076962c17f8bd369e98
SHA256

f919ca0a5c6bff30ebed640b411b8a1a73350497fdd6087e1a24f7d9648724bf
SHA512

37e9233427fd3c990d637e406c58430319d6c6d10798ebdff25e81dccca32e5620e6dca44937adea7263888562e02c2488f04e2578e4b70bdf08a4b8053ba6fd

Score

10^/10

redline 777 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

777

C2

89.22.227.140:31288

Attributes

auth_value
e42115cf07e73321acdde5e388b0aef9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4948-133-0x0000000000740000-0x0000000000760000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

pumpal109061.exe

pid process

2664 pumpal109061.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Installer.exe

description pid process target process

PID 2628 set thread context of 4948 2628 Installer.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

4948 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Installer.exevbc.exe

description pid process

Token: SeDebugPrivilege 2628 Installer.exe
Token: SeDebugPrivilege 4948 vbc.exe

pid	process
2664	pumpal109061.exe

description	pid	process	target process
PID 2628 set thread context of 4948	2628	Installer.exe	vbc.exe

pid	process
4948	vbc.exe

description	pid	process
Token: SeDebugPrivilege	2628	Installer.exe
Token: SeDebugPrivilege	4948	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Installer.exevbc.exe

description	pid	process	target process
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 2628 wrote to memory of 4948	2628	Installer.exe	vbc.exe
PID 4948 wrote to memory of 2664	4948	vbc.exe	pumpal109061.exe
PID 4948 wrote to memory of 2664	4948	vbc.exe	pumpal109061.exe
PID 4948 wrote to memory of 2664	4948	vbc.exe	pumpal109061.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe
"C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe"
3⤵
- Executes dropped EXE
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe
Filesize
26.7MB

MD5
430a7adec2ef4c9e34c0c4227bb528e4

SHA1
c8ef475c554111721f1f7cdb6a9669ba54b0e21e

SHA256
1cb689eceebad2a2a866f014d34671772482ca5701ac5de88a3cc358aa5d7a9d

SHA512
01f6ba2b5c5fdae41538a7fd5bf049da80d5235a9b8dba3e86da12c0841ea4d16ea86db342cd0d506f15da0cc2732b4ed66eb91e1f14691c394d30a99c8ae77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe
Filesize
26.1MB

MD5
eae6bce4e34635df0cdf91cd45f4a3c0

SHA1
2c385044d852d5b28f113965693dff38d9f78d0d

SHA256
338d014fb2628f3a04dc9c02f43d3a7f6c6bc57427a64f7c56acf70c98a4bbfa

SHA512
b7f3b0564c6ea03976da00ceed115ec21c2e1c0f8b18f3667e31db49425658a82de9483c89148d9fc3721339a44d8efee804da79eeaba2bc5352d1dffbf644ef

Download Submit
memory/2628-130-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2664-146-0x0000000000000000-mapping.dmp

Download
memory/4948-139-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/4948-142-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4948-137-0x0000000004C30000-0x0000000004C6C000-memory.dmp

Filesize
240KB

Download
memory/4948-138-0x0000000004FC0000-0x0000000005036000-memory.dmp

Filesize
472KB

Download
memory/4948-135-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/4948-140-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/4948-141-0x00000000050B0000-0x00000000050CE000-memory.dmp

Filesize
120KB

Download
memory/4948-136-0x0000000004D00000-0x0000000004E0A000-memory.dmp

Filesize
1.0MB

Download
memory/4948-143-0x0000000006720000-0x00000000068E2000-memory.dmp

Filesize
1.8MB

Download
memory/4948-144-0x0000000006E20000-0x000000000734C000-memory.dmp

Filesize
5.2MB

Download
memory/4948-145-0x00000000066A0000-0x00000000066F0000-memory.dmp

Filesize
320KB

Download
memory/4948-134-0x0000000005130000-0x0000000005748000-memory.dmp

Filesize
6.1MB

Download
memory/4948-133-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/4948-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing