redline | a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa

General

Target

A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
Size

530KB
MD5

4bf2eedfff6695b5f3fea01022c77b46
SHA1

6e08f77c366deb75ccc05c7e095132ca967d2dca
SHA256

a3e02076203fb0a1c203265a9e9592f11fdc0d0e77a1d4591ece152f913092fa
SHA512

d868367ef491593472eefe5009d5543b71f342406d4cc3a45c24e978a8c2112fe1da7a283918847dd7da4dfd5189d2559a9eebb6c7621ce9c4946513d3037c49

Score

10^/10

redline choi discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Choi

C2

192.99.175.89:49887

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/568-66-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/568-67-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/568-68-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/568-69-0x000000000041932E-mapping.dmp	family_redline
behavioral1/memory/568-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/568-73-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

description	pid	process	target process
PID 1972 set thread context of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1712 schtasks.exe

pid	process
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepowershell.exeA3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

pid	process
1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
1268	powershell.exe
568	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
568	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exepowershell.exeA3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

description	pid	process
Token: SeDebugPrivilege	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	568	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

description	pid	process	target process
PID 1972 wrote to memory of 1268	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	powershell.exe
PID 1972 wrote to memory of 1268	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	powershell.exe
PID 1972 wrote to memory of 1268	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	powershell.exe
PID 1972 wrote to memory of 1268	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	powershell.exe
PID 1972 wrote to memory of 1712	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	schtasks.exe
PID 1972 wrote to memory of 1712	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	schtasks.exe
PID 1972 wrote to memory of 1712	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	schtasks.exe
PID 1972 wrote to memory of 1712	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	schtasks.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
PID 1972 wrote to memory of 568	1972	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe	A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe

C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
"C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bIsxcujH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bIsxcujH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5B0.tmp"
2⤵
- Creates scheduled task(s)
PID:1712

C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe
"C:\Users\Admin\AppData\Local\Temp\A3E02076203FB0A1C203265A9E9592F11FDC0D0E77A1D.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC5B0.tmp
Filesize
1KB

MD5
7ccaa9e66043562051514c4189eadb4b

SHA1
43df71ea13f999774230aa1e29da9a805ff08d6c

SHA256
dc38bc410eebe507c2938a811318db9d64e7b5c62b21aa9aa70faa2b68dcb645

SHA512
ac96d1efe2b5e9068fc9decfd108a28515c3281ec7a805e577a2bb99e46b1c1c6f1fd2603dc5ae49e3c2e0853ad7a5891e6cdba21b534b83c2a0b2681ecba326

Download Submit
memory/568-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/568-69-0x000000000041932E-mapping.dmp

Download
memory/568-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/568-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/568-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/568-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/568-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/568-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1268-58-0x0000000000000000-mapping.dmp

Download
memory/1268-76-0x000000006ECF0000-0x000000006F29B000-memory.dmp

Filesize
5.7MB

Download
memory/1268-75-0x000000006ECF0000-0x000000006F29B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000001390000-0x000000000141A000-memory.dmp

Filesize
552KB

Download
memory/1972-56-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/1972-57-0x0000000005DA0000-0x0000000005E02000-memory.dmp

Filesize
392KB

Download
memory/1972-62-0x00000000011F0000-0x000000000120E000-memory.dmp

Filesize
120KB

Download
memory/1972-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads