redline | 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856

General

Target

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
Size

4.5MB
MD5

116ad7e88ec60629de63ceeed72ca6f0
SHA1

9cf771b5ad3a5c18679827337261b9a7b0a586cd
SHA256

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856
SHA512

ecb5baf8a69125a27c0b381904d69f4046ee9e5a29557cb70614a32c95ea3c254b1e71f6ffcd2fba5ccc5df7c6740a2ac29b232b2c6f89ad037466c5cf7ec1cd
SSDEEP

98304:4+jjU7ShrX3uJXPhcHWSbjZxTap3mnR9zjMn:XfzhrX8c2WVxTamn7z

Score

10^/10

redline imhotep infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

IMHOTEP

C2

185.215.113.217:19618

Attributes

auth_value
6ab091fd3a77232d89f167fd3318223a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1504-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1504-67-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1504-68-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1504-69-0x000000000042212E-mapping.dmp	family_redline
behavioral1/memory/1504-71-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/1504-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe

description	pid	process	target process
PID 1228 set thread context of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exeAppLaunch.exe

pid	process
1880	powershell.exe
1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
1504	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exepowershell.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1504	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe

description	pid	process	target process
PID 1228 wrote to memory of 1880	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 1228 wrote to memory of 1880	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 1228 wrote to memory of 1880	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 1228 wrote to memory of 1880	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 1228 wrote to memory of 1504	1228	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
"C:\Users\Admin\AppData\Local\Temp\8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-54-0x0000000000220000-0x000000000069E000-memory.dmp

Filesize
4.5MB

Download
memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1228-56-0x0000000005B50000-0x0000000005C0A000-memory.dmp

Filesize
744KB

Download
memory/1228-57-0x00000000006E0000-0x000000000072C000-memory.dmp

Filesize
304KB

Download
memory/1228-58-0x0000000002620000-0x00000000026B2000-memory.dmp

Filesize
584KB

Download
memory/1504-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-69-0x000000000042212E-mapping.dmp

Download
memory/1504-71-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1504-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1880-61-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-62-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads