redline | 73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339

General

Target

73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
Size

1.6MB
MD5

520c80ba7c464a83e87c8fb1802e13d3
SHA1

2254564a371d24f71da7f2266dfc17c7b0ae91a8
SHA256

73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339
SHA512

0cee26c9ed6c9a274574e1fcceea03e48a040f39f6f98b94b8fc5ad0887d599c5aba808ad88585142b8660df65de3d54bfedd15dd3d52f81e5c7a6b0ebc6e91d
SSDEEP

24576:fXvfMsh8TJF8LUbf6wav0ppfiH1WIjEqM+4N+WMRypVbVejCeP4oVZMK8:fvfnCyLUbMv0pk4wEDMRy7KrP4aW

Score

10^/10

redline alpaca infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

ALPACA

C2

77.73.133.87:25907

Attributes

auth_value
8d61195968b165108c51f8712ec15473

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/892-62-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/892-65-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/892-67-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
892	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	InstallUtil.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 1528	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	26
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27
PID 1424 wrote to memory of 892	1424	73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe	27

C:\Users\Admin\AppData\Local\Temp\73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe
"C:\Users\Admin\AppData\Local\Temp\73df71487bbfa869ccf7c2b5e38ea86bff429107bb556e0888b9df4bf03ac339.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-60-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/892-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/892-65-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/892-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1424-54-0x0000000002200000-0x0000000002946000-memory.dmp

Filesize
7.3MB

Download
memory/1424-55-0x0000000002200000-0x0000000002946000-memory.dmp

Filesize
7.3MB

Download
memory/1424-56-0x0000000002950000-0x0000000002AC1000-memory.dmp

Filesize
1.4MB

Download
memory/1424-57-0x0000000002950000-0x0000000002AC1000-memory.dmp

Filesize
1.4MB

Download
memory/1424-58-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1424-59-0x000000000E060000-0x000000000E1D0000-memory.dmp

Filesize
1.4MB

Download
memory/1424-64-0x0000000002950000-0x0000000002AC1000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing