redline | 24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109

General

Target

24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
Size

3.1MB
MD5

1cd91de8f373882db0e2293f468544c8
SHA1

ff788f0bdbcc0e5951dc4b1f60c21d6dcfa7c90a
SHA256

24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109
SHA512

20cda0f10e9e01e09d75eba4724b060b2300ea707da33e12c1853c623311c54b038e21250b6bd68716b85f861bd7278949e00a58894f57418cacc021e5a21d62
SSDEEP

49152:zF1vNuhz6lqOEBsZEFDMEPrNeRfy8AJx4GV6UHRtLTwsOwu3B3WwepUBe1R:p1FuhzbsZMAEP0f3AXAUnosO/x3WSg

Score

10^/10

redline 11-25 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

11-25

C2

172.99.189.117:44670

Attributes

auth_value
f3754aeb17f33c672540bd6f71407965

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3900-145-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

description	pid	process	target process
PID 5112 set thread context of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exe24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

pid	process
176	powershell.exe
176	powershell.exe
5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
3900	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
3900	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exepowershell.exe24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

description	pid	process
Token: SeDebugPrivilege	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
Token: SeDebugPrivilege	176	powershell.exe
Token: SeDebugPrivilege	3900	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

description	pid	process	target process
PID 5112 wrote to memory of 176	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	powershell.exe
PID 5112 wrote to memory of 176	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	powershell.exe
PID 5112 wrote to memory of 176	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	powershell.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
PID 5112 wrote to memory of 3900	5112	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe	24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe

C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
"C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:176

C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
C:\Users\Admin\AppData\Local\Temp\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\24eac4d7f6e628d7cf291e8e1b39f5d2cc091578b05cfba301dc58709a1a2109.exe.log
Filesize
1KB

MD5
026fb31495d30e5dbfd00f398c2efbf8

SHA1
9cda8f5f58129e4d592ca1b9867835c86f38ab1b

SHA256
b008f16eeae90b4c6ba119fb308616c0795cdaca51adf2b64470a0c01aeeb8b7

SHA512
6d1cc01c90613522cfb7be7ea67ff03732b367dfc7bfd245ad6d7ea8e5e5def431b3339d17893b7b193cee2c3b4c22a459acd3d852ee88fce711e30c5af195a1

Download Submit
memory/176-142-0x00000000079A0000-0x000000000801A000-memory.dmp

Filesize
6.5MB

Download
memory/176-141-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/176-143-0x0000000006670000-0x000000000668A000-memory.dmp

Filesize
104KB

Download
memory/176-136-0x0000000000000000-mapping.dmp

Download
memory/176-137-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

Filesize
216KB

Download
memory/176-138-0x0000000005280000-0x00000000058A8000-memory.dmp

Filesize
6.2MB

Download
memory/176-139-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/176-140-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/3900-149-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download
memory/3900-148-0x0000000005A40000-0x0000000005B4A000-memory.dmp

Filesize
1.0MB

Download
memory/3900-154-0x0000000008710000-0x0000000008C3C000-memory.dmp

Filesize
5.2MB

Download
memory/3900-144-0x0000000000000000-mapping.dmp

Download
memory/3900-145-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3900-153-0x0000000008010000-0x00000000081D2000-memory.dmp

Filesize
1.8MB

Download
memory/3900-147-0x0000000005F20000-0x0000000006538000-memory.dmp

Filesize
6.1MB

Download
memory/3900-152-0x0000000007120000-0x0000000007170000-memory.dmp

Filesize
320KB

Download
memory/3900-151-0x00000000070A0000-0x0000000007116000-memory.dmp

Filesize
472KB

Download
memory/3900-150-0x00000000059E0000-0x0000000005A1C000-memory.dmp

Filesize
240KB

Download
memory/5112-134-0x0000000007840000-0x0000000007DE4000-memory.dmp

Filesize
5.6MB

Download
memory/5112-132-0x00000000006C0000-0x00000000009E4000-memory.dmp

Filesize
3.1MB

Download
memory/5112-133-0x00000000071F0000-0x0000000007282000-memory.dmp

Filesize
584KB

Download
memory/5112-135-0x00000000072C0000-0x00000000072E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads