redline | 82ea10edc8a126ed26774707ebb6d5ce828268e260549bd75877fe256e06055f

General

Target

WhatsApp/WhatsApp.exe
Size

700.0MB
MD5

76e4e31dd3e40ac6790c83fa48419a55
SHA1

f42363c9ca8325a47efd4f01f177702433d78ff8
SHA256

661d2ed323c8703a7466774162972254589be4ab04abd6067d70ab44bc70d978
SHA512

78ae771f67d5c1c66d2e8ffc1f3dd398b6cd87c6ee813e6108e0f0c8cdfb8cd656c82d3ec4fff7b9d9f84c31e0cfd00b613150bb6eb22ad942c00a5aed379b8e
SSDEEP

98304:NCDnyTWzDCidsFXGAtljN36bZfRE7Rtc/vNK3egPJP:N2qM+idivVNKbZfREVtc0PJP

Score

10^/10

redline ws-19 agilenet infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

ws-19

C2

38.91.100.57:32750

Attributes

auth_value
b8974207e31b05e60d39e04eba8eeb0b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4428-143-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WhatsApp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WhatsApp.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/2064-132-0x0000000000B70000-0x0000000000F66000-memory.dmp	agile_net

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

WhatsApp.exe

description pid process target process

PID 2064 set thread context of 4428 2064 WhatsApp.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeWhatsApp.exeInstallUtil.exe

pid process

3900 powershell.exe
3900 powershell.exe
2064 WhatsApp.exe
2064 WhatsApp.exe
4428 InstallUtil.exe
4428 InstallUtil.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeWhatsApp.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 3900 powershell.exe
Token: SeDebugPrivilege 2064 WhatsApp.exe
Token: SeDebugPrivilege 4428 InstallUtil.exe

description	pid	process	target process
PID 2064 set thread context of 4428	2064	WhatsApp.exe	InstallUtil.exe

pid	process
3900	powershell.exe
3900	powershell.exe
2064	WhatsApp.exe
2064	WhatsApp.exe
4428	InstallUtil.exe
4428	InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	2064	WhatsApp.exe
Token: SeDebugPrivilege	4428	InstallUtil.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WhatsApp.exe

description	pid	process	target process
PID 2064 wrote to memory of 3900	2064	WhatsApp.exe	powershell.exe
PID 2064 wrote to memory of 3900	2064	WhatsApp.exe	powershell.exe
PID 2064 wrote to memory of 3900	2064	WhatsApp.exe	powershell.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe
PID 2064 wrote to memory of 4428	2064	WhatsApp.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe
"C:\Users\Admin\AppData\Local\Temp\WhatsApp\WhatsApp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-132-0x0000000000B70000-0x0000000000F66000-memory.dmp

Filesize
4.0MB

Download
memory/2064-133-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

Filesize
136KB

Download
memory/3900-134-0x0000000000000000-mapping.dmp

Download
memory/3900-135-0x0000000002D90000-0x0000000002DC6000-memory.dmp

Filesize
216KB

Download
memory/3900-136-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/3900-137-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/3900-138-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/3900-139-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/3900-140-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/3900-141-0x0000000006870000-0x000000000688A000-memory.dmp

Filesize
104KB

Download
memory/4428-142-0x0000000000000000-mapping.dmp

Download
memory/4428-143-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4428-144-0x0000000005530000-0x0000000005B48000-memory.dmp

Filesize
6.1MB

Download
memory/4428-145-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/4428-146-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/4428-147-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/4428-148-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/4428-149-0x0000000006100000-0x00000000066A4000-memory.dmp

Filesize
5.6MB

Download
memory/4428-150-0x0000000006880000-0x0000000006A42000-memory.dmp

Filesize
1.8MB

Download
memory/4428-151-0x0000000006F80000-0x00000000074AC000-memory.dmp

Filesize
5.2MB

Download
memory/4428-152-0x0000000006AE0000-0x0000000006B56000-memory.dmp

Filesize
472KB

Download
memory/4428-153-0x0000000006B60000-0x0000000006BB0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads