redline | 23f70436d5d45e4abfd9763a73a43637a51192bb1ad95df790b6ebb3dd4060d1

General

Target

tmp.exe
Size

97KB
MD5

95e03ae51a6671e98b8461dc1ad766eb
SHA1

3968a825dbda1b2998f89018c163a5e16fbdc3f3
SHA256

23f70436d5d45e4abfd9763a73a43637a51192bb1ad95df790b6ebb3dd4060d1
SHA512

bd12655eb446251a76ddf49a68efadaa30f13cf905323dac0992a652679e745cad881e72df95b63c26b833cf2c5a7c51f8aa10da90291843a24a9b4180e4da26
SSDEEP

1536:fEzhNlLbVUKs23ZS0M5Gw/B4dIR/2rS4eCurntMJI8MY4:8z5LbVUz2RM5GfrS4eC6teIHB

Score

10^/10

redline mix-3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

MIX-3

C2

167.235.133.96:43849

Attributes

auth_value
5809bfc38a41ac4369f75ca7762ad9c9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 3388	2180	tmp.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1580	powershell.exe
1580	powershell.exe
3388	tmp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	tmp.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	3388	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1580	2180	tmp.exe	91
PID 2180 wrote to memory of 1580	2180	tmp.exe	91
PID 2180 wrote to memory of 1580	2180	tmp.exe	91
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99
PID 2180 wrote to memory of 3388	2180	tmp.exe	99

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log

Filesize
1KB

MD5
3a9188331a78f1dbce606db64b841fcb

SHA1
8e2c99b7c477d06591a856a4ea3e1e214719eee8

SHA256
db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451

SHA512
d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ey35nn13.d4j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1580-144-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/1580-136-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/1580-137-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/1580-138-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/1580-156-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1580-158-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1580-149-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1580-150-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1580-151-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/1580-152-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/1580-153-0x0000000006710000-0x000000000672A000-memory.dmp

Filesize
104KB

Download
memory/1580-154-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1580-157-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2180-155-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2180-134-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/2180-135-0x0000000006210000-0x0000000006232000-memory.dmp

Filesize
136KB

Download
memory/2180-133-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/3388-167-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/3388-165-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/3388-166-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/3388-162-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3388-168-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/3388-169-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/3388-170-0x0000000006810000-0x0000000006DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3388-171-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/3388-172-0x0000000006F90000-0x0000000007152000-memory.dmp

Filesize
1.8MB

Download
memory/3388-173-0x0000000007690000-0x0000000007BBC000-memory.dmp

Filesize
5.2MB

Download
memory/3388-174-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing