redline | 0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e

General

Target

0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe
Size

5.8MB
MD5

3e1a211e78c3fb60c8f7b52663fa741e
SHA1

068fb47cf931e4788010d55a32ed9b74d3777df7
SHA256

0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e
SHA512

b15702739ae6fd6108fa6d4967f7613ccbc171056a3dd81de21681f480e92be475586fd2a083c12b26648a29db2377f23dd36e2889d172c9e82df959fc5ba409
SSDEEP

98304:eT8TT3cExPT2uW5MI079g+DomNbpN3yjwQOF/lvlXAWCwFb8M7kwhi6zlUk5SoYp:eTM3PoL2V76+DjnNgwQ+dtLZ7kwg6JUX

Score

10^/10

redline +new10 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

+new10

C2

95.217.81.67:15781

Attributes

auth_value
71466e289c1fa2064de510a850454a2a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000022e26-141.dat	family_redline
behavioral2/files/0x000a000000022e26-142.dat	family_redline
behavioral2/memory/4988-143-0x0000000000A20000-0x0000000000A80000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
4988	bjk.exe

Loads dropped DLL 2 IoCs

pid	Process
480	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe
480	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4988	bjk.exe
4988	bjk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	bjk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 480	1028	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe	83
PID 1028 wrote to memory of 480	1028	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe	83
PID 480 wrote to memory of 2712	480	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe	84
PID 480 wrote to memory of 2712	480	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe	84
PID 480 wrote to memory of 5072	480	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe	85
PID 480 wrote to memory of 5072	480	0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe	85
PID 5072 wrote to memory of 4988	5072	cmd.exe	86
PID 5072 wrote to memory of 4988	5072	cmd.exe	86
PID 5072 wrote to memory of 4988	5072	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe
"C:\Users\Admin\AppData\Local\Temp\0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe
  "C:\Users\Admin\AppData\Local\Temp\0b248d8cc9122111b96ed71172ef287726900529da9cdc8da9968a2d40f1191e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c echo %temp%
    3⤵
    PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bjk.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\bjk.exe
      C:\Users\Admin\AppData\Local\Temp\bjk.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10282\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\base_library.zip

Filesize
1.0MB

MD5
d44084e338c5f77c0a75fc1161c82465

SHA1
86cf5d4f0e3732ff19187d39aae6d676dd2201d1

SHA256
4d6efa9a88b15e659864da0c0c19f6faf3bb88a6ee6623fa21114cd7f14c999f

SHA512
c9afb7b078b63eb016adc2e073f21230aa6bbcfa3378339ac70e264a2871a2d7e2f51309569396fe640733edb12db19f2e064c9697b6f1b22f58be276a58e7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjk.exe

Filesize
359KB

MD5
3bbcec2e0e798d9858d54a1dfe062d9c

SHA1
fe19a2ee81fca8759bef63ea743d586d86817fdd

SHA256
49e4eb7458946b065eccf54804896b3c575b1661fe8bde38987214086be5ce2d

SHA512
49e863202e0b29bf59d9e7e5b5487fb12ac6b9302f883ae48e187c2d430a5878561b786614f3ad1e49aaf6ea9c7cecc9a01bf9f79fd2635123b731b1212fde3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjk.exe

Filesize
359KB

MD5
3bbcec2e0e798d9858d54a1dfe062d9c

SHA1
fe19a2ee81fca8759bef63ea743d586d86817fdd

SHA256
49e4eb7458946b065eccf54804896b3c575b1661fe8bde38987214086be5ce2d

SHA512
49e863202e0b29bf59d9e7e5b5487fb12ac6b9302f883ae48e187c2d430a5878561b786614f3ad1e49aaf6ea9c7cecc9a01bf9f79fd2635123b731b1212fde3b

Download Submit
memory/4988-147-0x000000000ABC0000-0x000000000ABFC000-memory.dmp

Filesize
240KB

Download
memory/4988-148-0x000000000BCB0000-0x000000000C254000-memory.dmp

Filesize
5.6MB

Download
memory/4988-143-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/4988-144-0x000000000B0E0000-0x000000000B6F8000-memory.dmp

Filesize
6.1MB

Download
memory/4988-145-0x000000000AC30000-0x000000000AD3A000-memory.dmp

Filesize
1.0MB

Download
memory/4988-146-0x000000000AB60000-0x000000000AB72000-memory.dmp

Filesize
72KB

Download
memory/4988-154-0x000000000CC30000-0x000000000D15C000-memory.dmp

Filesize
5.2MB

Download
memory/4988-149-0x000000000B020000-0x000000000B0B2000-memory.dmp

Filesize
584KB

Download
memory/4988-150-0x000000000B770000-0x000000000B7D6000-memory.dmp

Filesize
408KB

Download
memory/4988-151-0x000000000C2E0000-0x000000000C356000-memory.dmp

Filesize
472KB

Download
memory/4988-152-0x000000000BC40000-0x000000000BC90000-memory.dmp

Filesize
320KB

Download
memory/4988-153-0x000000000C530000-0x000000000C6F2000-memory.dmp

Filesize
1.8MB

Download

Resubmissions

Analysis

Sharing