redline | 6af5a56deb5139e66b9a344c40861a633b32b5cefbb120355bb3f3f207007cbb

Analysis

max time kernel
61s
max time network
64s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
20-09-2022 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

redline_stage_2.exe
Size

3.2MB
MD5

cb256a45f5ea76e960224e587bd339bd
SHA1

4861d0ac38f7a3072e2552576aca1ccb4b5a182c
SHA256

6af5a56deb5139e66b9a344c40861a633b32b5cefbb120355bb3f3f207007cbb
SHA512

ebb1d1e951d8660d44e800a2933fbddb0009be148afd25bb4266ea1c7ad576f4d4343da65eef00b63530e7e42c05acdc7360423749e343d55470d590e210b862
SSDEEP

49152:ojXRjNYpHz+x1DruxTDUCzXWnUcvgvNgFmaQhSD+eE02bSiN6lQi67QeklF:KXvYperWnUCzmUc4V0N1nrc74F

Score

10^/10

redline gd agilenet infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

49.51.90.156:32323

Attributes

auth_value
216b4a613d722869714e5beaeac54def

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5076-298-0x000000000041AD9E-mapping.dmp	family_redline
behavioral1/memory/5076-336-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/976-148-0x00000000004C0000-0x00000000007DE000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

redline_stage_2.exe

description pid process target process

PID 976 set thread context of 5076 976 redline_stage_2.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeAppLaunch.exe

pid process

4224 powershell.exe
4224 powershell.exe
4224 powershell.exe
5076 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

redline_stage_2.exepowershell.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 976 redline_stage_2.exe
Token: SeDebugPrivilege 4224 powershell.exe
Token: SeDebugPrivilege 5076 AppLaunch.exe

description	pid	process	target process
PID 976 set thread context of 5076	976	redline_stage_2.exe	AppLaunch.exe

pid	process
4224	powershell.exe
4224	powershell.exe
4224	powershell.exe
5076	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	976	redline_stage_2.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	5076	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

redline_stage_2.exe

description	pid	process	target process
PID 976 wrote to memory of 4224	976	redline_stage_2.exe	powershell.exe
PID 976 wrote to memory of 4224	976	redline_stage_2.exe	powershell.exe
PID 976 wrote to memory of 4224	976	redline_stage_2.exe	powershell.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe
PID 976 wrote to memory of 5076	976	redline_stage_2.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\redline_stage_2.exe
"C:\Users\Admin\AppData\Local\Temp\redline_stage_2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-116-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-117-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-118-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-119-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-120-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-121-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-122-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-123-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-124-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-126-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-125-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-128-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-127-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-129-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-130-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-131-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-132-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-133-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-134-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-135-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-136-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-137-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-138-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-139-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-140-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-141-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-142-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-143-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-144-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-145-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-146-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-147-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-148-0x00000000004C0000-0x00000000007DE000-memory.dmp

Filesize
3.1MB

Download
memory/976-149-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-150-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-151-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-152-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-153-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download
memory/976-154-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/976-155-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-156-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-157-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-158-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-159-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-160-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-161-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-162-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-163-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-164-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-165-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-166-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-167-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-168-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-169-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-170-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/976-171-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-172-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-173-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-174-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-175-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-176-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-177-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-178-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-179-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-181-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-180-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-182-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-183-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/976-190-0x00000000060D0000-0x0000000006284000-memory.dmp

Filesize
1.7MB

Download
memory/976-192-0x00000000062F0000-0x0000000006312000-memory.dmp

Filesize
136KB

Download
memory/976-194-0x0000000006480000-0x00000000067D0000-memory.dmp

Filesize
3.3MB

Download
memory/4224-205-0x0000000000000000-mapping.dmp

Download
memory/4224-241-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/4224-246-0x0000000007B20000-0x0000000008148000-memory.dmp

Filesize
6.2MB

Download
memory/4224-265-0x00000000081C0000-0x0000000008226000-memory.dmp

Filesize
408KB

Download
memory/4224-266-0x0000000008150000-0x00000000081B6000-memory.dmp

Filesize
408KB

Download
memory/4224-269-0x0000000008270000-0x000000000828C000-memory.dmp

Filesize
112KB

Download
memory/4224-270-0x0000000008960000-0x00000000089AB000-memory.dmp

Filesize
300KB

Download
memory/4224-274-0x0000000008B40000-0x0000000008BB6000-memory.dmp

Filesize
472KB

Download
memory/4224-285-0x000000000A1B0000-0x000000000A828000-memory.dmp

Filesize
6.5MB

Download
memory/4224-286-0x00000000098F0000-0x000000000990A000-memory.dmp

Filesize
104KB

Download
memory/5076-298-0x000000000041AD9E-mapping.dmp

Download
memory/5076-336-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5076-357-0x00000000096B0000-0x0000000009CB6000-memory.dmp

Filesize
6.0MB

Download
memory/5076-358-0x0000000009150000-0x0000000009162000-memory.dmp

Filesize
72KB

Download
memory/5076-359-0x0000000009280000-0x000000000938A000-memory.dmp

Filesize
1.0MB

Download
memory/5076-362-0x00000000091B0000-0x00000000091EE000-memory.dmp

Filesize
248KB

Download
memory/5076-364-0x00000000091F0000-0x000000000923B000-memory.dmp

Filesize
300KB

Download
memory/5076-375-0x0000000009660000-0x000000000967E000-memory.dmp

Filesize
120KB

Download
memory/5076-636-0x000000000AA40000-0x000000000AA90000-memory.dmp

Filesize
320KB

Download
memory/5076-649-0x000000000AD60000-0x000000000AF22000-memory.dmp

Filesize
1.8MB

Download
memory/5076-650-0x000000000B460000-0x000000000B98C000-memory.dmp

Filesize
5.2MB

Download