redline | 458d2e1bc2bb46bd5610bf3faa5d48f3718ad72174d7da25c12ccdf8ff7e0570

Analysis

max time kernel
41s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe
Size

4.2MB
MD5

0893aeeca2f3b788f3281b40f432ea87
SHA1

ee329d6690fa9083926f47467c6f4b5699409247
SHA256

458d2e1bc2bb46bd5610bf3faa5d48f3718ad72174d7da25c12ccdf8ff7e0570
SHA512

f524fc78f422782abd90daa549169ec7e65f162a249da794ab22884f66d39ca6955b8224f0e1432c290d562affff52f1e02cbac267ca7a74b1ec59b1540eece9
SSDEEP

98304:S+W2tgj7eiP1+bzgJyM4sYXCl6fMX2hs/4Tq9KLz63g:SStgmq1og8AkC4fMlQ

Score

10^/10

redline pro infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

pro

79.137.199.206:45354

Attributes

auth_value
e20e8d1492a37ff0cfab3cd3f6c60362

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe

description	pid	process	target process
PID 1396 set thread context of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

1164 AddInProcess32.exe
1164 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1164 AddInProcess32.exe

pid	process
1164	AddInProcess32.exe
1164	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1164	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe

description	pid	process	target process
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe
PID 1396 wrote to memory of 1164	1396	90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe
"C:\Users\Admin\AppData\Local\Temp\90b902a384f7b3da868569a30cbebf140a895fcf028653dfbfb90f5fa6d0d21e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1164-57-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-58-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-63-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-62-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-60-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-64-0x0000000000096C82-mapping.dmp

Download
memory/1164-66-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-70-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-73-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/1164-74-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1396-54-0x00000000013C0000-0x0000000001A43000-memory.dmp

Filesize
6.5MB

Download