redline | 16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261

General

Target

16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
Size

1.6MB
MD5

172b15079b00399010648f9474f8e0b6
SHA1

931da4fc406d9242a298e86fb818eed29bff8047
SHA256

16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261
SHA512

8e0912393441a0e5863b5097943de3d099d2b3f3f32c1425a524fe2c5f61caffe3887f7c9c14fb9b0cdded5357174001dc3307c817c80a6a4566715a588874e8

Score

10^/10

redline subzero infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

SUBZERO

C2

185.215.113.217:19618

Attributes

auth_value
019ff2a82025cde517e4466362191205

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1248-65-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1248-67-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1248-69-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe

description	pid	process	target process
PID 836 set thread context of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe

pid	process
836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

InstallUtil.exe

description pid process

Token: SeDebugPrivilege 1248 InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1248	InstallUtil.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe

description	pid	process	target process
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe
PID 836 wrote to memory of 1248	836	16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe
"C:\Users\Admin\AppData\Local\Temp\16c297a32f4883adf8de4d8d3d2ef4ca3714fa09260065a0ae6fb76a08f27261.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-60-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/836-54-0x0000000002050000-0x000000000257E000-memory.dmp

Filesize
5.2MB

Download
memory/836-56-0x0000000002580000-0x00000000026C7000-memory.dmp

Filesize
1.3MB

Download
memory/836-57-0x0000000002580000-0x00000000026C7000-memory.dmp

Filesize
1.3MB

Download
memory/836-58-0x0000000002050000-0x000000000257E000-memory.dmp

Filesize
5.2MB

Download
memory/836-59-0x0000000002580000-0x00000000026C7000-memory.dmp

Filesize
1.3MB

Download
memory/836-55-0x0000000002050000-0x000000000257E000-memory.dmp

Filesize
5.2MB

Download
memory/836-61-0x000000000B470000-0x000000000B59F000-memory.dmp

Filesize
1.2MB

Download
memory/836-70-0x0000000002580000-0x00000000026C7000-memory.dmp

Filesize
1.3MB

Download
memory/836-62-0x000000000B470000-0x000000000B59F000-memory.dmp

Filesize
1.2MB

Download
memory/1248-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1248-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1248-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1248-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads