redline | e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd

Analysis

max time kernel
51s
max time network
178s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
28/09/2022, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
Size

464KB
MD5

68781ba2480e24d7676a6d6ec36ac5a2
SHA1

94ab12152255b1a8ef1556fbf25a5b1a414a6029
SHA256

e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd
SHA512

e6e4fc0994ed6b455407eab7c8f068438a5fe4aacc942c5fe3a1f4251730f4c034091e7a1f89833db7e31a30bc704722155331a7bd35b82c194965ecdf10daba
SSDEEP

12288:UHyw6lzVRKzgBg/pgy8mY8uxTE2ifaRUMJfcC:AizV1qx+82iiRUs

Score

10^/10

redline 1.3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1.3

152.89.218.219:45790

Attributes

auth_value
afe24321e9017179e86b28b662fd7ea0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/2904-175-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/2904-176-0x0000000000422126-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
2904	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 2388	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	66
PID 3504 wrote to memory of 2388	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	66
PID 3504 wrote to memory of 2388	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	66
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67
PID 3504 wrote to memory of 2904	3504	e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe	67

C:\Users\Admin\AppData\Local\Temp\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
"C:\Users\Admin\AppData\Local\Temp\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
  C:\Users\Admin\AppData\Local\Temp\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
  C:\Users\Admin\AppData\Local\Temp\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e8f1a6a1771f9d2a6eea8042d6283c78524e59801bbee0c7574341ee68dbdacd.exe.log

Filesize
789B

MD5
db5ef8d7c51bad129d9097bf953e4913

SHA1
8439db960aa2d431bf5ec3c37af775b45eb07e06

SHA256
1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9

SHA512
04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee

Download Submit
memory/2904-237-0x0000000005190000-0x00000000051DB000-memory.dmp

Filesize
300KB

Download
memory/2904-187-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-251-0x0000000006780000-0x00000000067D0000-memory.dmp

Filesize
320KB

Download
memory/2904-242-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/2904-175-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2904-235-0x0000000005150000-0x000000000518E000-memory.dmp

Filesize
248KB

Download
memory/2904-233-0x0000000005130000-0x0000000005142000-memory.dmp

Filesize
72KB

Download
memory/2904-231-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/2904-230-0x0000000005670000-0x0000000005C76000-memory.dmp

Filesize
6.0MB

Download
memory/2904-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-255-0x0000000006C10000-0x0000000006DD2000-memory.dmp

Filesize
1.8MB

Download
memory/2904-188-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-256-0x0000000007C20000-0x000000000814C000-memory.dmp

Filesize
5.2MB

Download
memory/2904-185-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-184-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2904-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-151-0x0000000000150000-0x00000000001CA000-memory.dmp

Filesize
488KB

Download
memory/3504-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-158-0x0000000006EE0000-0x0000000007000000-memory.dmp

Filesize
1.1MB

Download
memory/3504-159-0x0000000007500000-0x00000000079FE000-memory.dmp

Filesize
5.0MB

Download
memory/3504-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-161-0x00000000070A0000-0x0000000007132000-memory.dmp

Filesize
584KB

Download
memory/3504-162-0x0000000004AE0000-0x0000000004AE6000-memory.dmp

Filesize
24KB

Download
memory/3504-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-164-0x0000000007340000-0x00000000073B6000-memory.dmp

Filesize
472KB

Download
memory/3504-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-168-0x0000000004B20000-0x0000000004B3E000-memory.dmp

Filesize
120KB

Download
memory/3504-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-117-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-127-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-124-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-119-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3504-118-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download