redline | 8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856

Analysis

max time kernel
165s
max time network
172s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-09-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
Size

4.5MB
MD5

116ad7e88ec60629de63ceeed72ca6f0
SHA1

9cf771b5ad3a5c18679827337261b9a7b0a586cd
SHA256

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856
SHA512

ecb5baf8a69125a27c0b381904d69f4046ee9e5a29557cb70614a32c95ea3c254b1e71f6ffcd2fba5ccc5df7c6740a2ac29b232b2c6f89ad037466c5cf7ec1cd
SSDEEP

98304:4+jjU7ShrX3uJXPhcHWSbjZxTap3mnR9zjMn:XfzhrX8c2WVxTamn7z

Score

10^/10

redline imhotep infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

IMHOTEP

185.215.113.217:19618

Attributes

auth_value
6ab091fd3a77232d89f167fd3318223a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4472-289-0x000000000042212E-mapping.dmp	family_redline
behavioral2/memory/4472-327-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe

description	pid	process	target process
PID 4220 set thread context of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exe8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exeAppLaunch.exe

pid	process
1108	powershell.exe
1108	powershell.exe
1108	powershell.exe
4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
4472	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exepowershell.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	4472	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe

description	pid	process	target process
PID 4220 wrote to memory of 1108	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 4220 wrote to memory of 1108	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 4220 wrote to memory of 1108	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	powershell.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe
PID 4220 wrote to memory of 4472	4220	8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe
"C:\Users\Admin\AppData\Local\Temp\8c952a5d6d8f610f4462847570be51afcadbfc5ca8c7298556bf24d6e1c92856.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-201-0x0000000000000000-mapping.dmp

Download
memory/1108-237-0x00000000066D0000-0x0000000006706000-memory.dmp

Filesize
216KB

Download
memory/1108-242-0x0000000006EC0000-0x00000000074E8000-memory.dmp

Filesize
6.2MB

Download
memory/1108-260-0x0000000006E40000-0x0000000006EA6000-memory.dmp

Filesize
408KB

Download
memory/1108-262-0x00000000074F0000-0x0000000007556000-memory.dmp

Filesize
408KB

Download
memory/1108-282-0x0000000008C70000-0x0000000008C8A000-memory.dmp

Filesize
104KB

Download
memory/1108-281-0x00000000096C0000-0x0000000009D38000-memory.dmp

Filesize
6.5MB

Download
memory/1108-270-0x0000000007E90000-0x0000000007F06000-memory.dmp

Filesize
472KB

Download
memory/1108-266-0x0000000008080000-0x00000000080CB000-memory.dmp

Filesize
300KB

Download
memory/1108-265-0x0000000007620000-0x000000000763C000-memory.dmp

Filesize
112KB

Download
memory/4220-155-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-153-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-123-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-163-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-138-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-142-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-143-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-148-0x0000000000030000-0x00000000004AE000-memory.dmp

Filesize
4.5MB

Download
memory/4220-149-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-179-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-180-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-120-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4220-183-0x00000000058A0000-0x000000000595A000-memory.dmp

Filesize
744KB

Download
memory/4220-184-0x00000000059D0000-0x0000000005A1C000-memory.dmp

Filesize
304KB

Download
memory/4220-186-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/4220-187-0x0000000005A20000-0x0000000005A42000-memory.dmp

Filesize
136KB

Download
memory/4220-189-0x0000000005BF0000-0x0000000005F40000-memory.dmp

Filesize
3.3MB

Download
memory/4472-289-0x000000000042212E-mapping.dmp

Download
memory/4472-327-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4472-348-0x0000000009480000-0x0000000009A86000-memory.dmp

Filesize
6.0MB

Download
memory/4472-349-0x0000000009000000-0x000000000910A000-memory.dmp

Filesize
1.0MB

Download
memory/4472-351-0x0000000008F30000-0x0000000008F42000-memory.dmp

Filesize
72KB

Download
memory/4472-353-0x0000000008FA0000-0x0000000008FDE000-memory.dmp

Filesize
248KB

Download
memory/4472-355-0x0000000009110000-0x000000000915B000-memory.dmp

Filesize
300KB

Download
memory/4472-363-0x00000000092E0000-0x0000000009372000-memory.dmp

Filesize
584KB

Download
memory/4472-364-0x0000000009F90000-0x000000000A48E000-memory.dmp

Filesize
5.0MB

Download
memory/4472-622-0x000000000A660000-0x000000000A822000-memory.dmp

Filesize
1.8MB

Download
memory/4472-623-0x000000000AD60000-0x000000000B28C000-memory.dmp

Filesize
5.2MB

Download