redline | 0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d

General

Target

0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
Size

898KB
MD5

4c42520a02966a874eb4fbdc0a74e208
SHA1

8c17320204683ca1dcf81c0a031a6e6c0d679d84
SHA256

0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d
SHA512

c9891c1a8428ba8ece0880c725a8fbbc0a77573f3460c35eeb7385c6993712fd35143b9662599d09f25af36f30ff856b32ae085161b1baa431aa428ecd5ea512
SSDEEP

12288:q2q6vb3D/Lnzv7XjbXApWwDrOYxfl0BDOUn8cIajfjo6ENMCCa3zw:DbXoFOY/SuaCMS3zw

Score

10^/10

redline anh123 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

Anh123

C2

199.115.193.116:11300

Attributes

auth_value
db990971ec3911c24ea05eeccc2e1f60

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

description	pid	process	target process
PID 404 set thread context of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

pid	process
4948	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
4948	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

description pid process

Token: SeDebugPrivilege 4948 0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

description	pid	process
Token: SeDebugPrivilege	4948	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

description	pid	process	target process
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
PID 404 wrote to memory of 4948	404	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe	0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe

C:\Users\Admin\AppData\Local\Temp\0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
"C:\Users\Admin\AppData\Local\Temp\0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
C:\Users\Admin\AppData\Local\Temp\0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0c71cf525042e6cd8d338248d66081495cbf35be2f28d515965fa15f1ad7432d.exe.log
Filesize
1KB

MD5
be1788135df70eb012f684bc8237162a

SHA1
b2e0403661c14563fd48d8bb0d41ae2bcfbf3d36

SHA256
88138ab6e758402a1a8c6c0249d7b8df1c1c47c5f9363b870cd4c23a45806506

SHA512
1a7c633e2492066b1dae1bd90402e1345397dba876e955400c84eda6dfde0894b098487235ee5d096aae6cfc66cdefcf649c6484b669bcdbc85059ed9e8ca2a2

Download Submit
memory/404-122-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/404-123-0x0000000005780000-0x0000000005C7E000-memory.dmp

Filesize
5.0MB

Download
memory/404-124-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/404-125-0x0000000005320000-0x0000000005670000-memory.dmp

Filesize
3.3MB

Download
memory/404-126-0x00000000061B0000-0x00000000066DC000-memory.dmp

Filesize
5.2MB

Download
memory/404-121-0x00000000007E0000-0x00000000008C6000-memory.dmp

Filesize
920KB

Download
memory/4948-130-0x00000000056B0000-0x0000000005CB6000-memory.dmp

Filesize
6.0MB

Download
memory/4948-127-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4948-131-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/4948-132-0x0000000005110000-0x0000000005122000-memory.dmp

Filesize
72KB

Download
memory/4948-133-0x0000000005170000-0x00000000051AE000-memory.dmp

Filesize
248KB

Download
memory/4948-134-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4948-135-0x00000000052F0000-0x000000000533B000-memory.dmp

Filesize
300KB

Download
memory/4948-136-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4948-137-0x00000000060C0000-0x0000000006136000-memory.dmp

Filesize
472KB

Download
memory/4948-138-0x0000000005DC0000-0x0000000005E10000-memory.dmp

Filesize
320KB

Download
memory/4948-139-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/4948-140-0x0000000006A90000-0x0000000006C52000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads