redline | fba703c00aa3908fd7bea1806af74aefba3f3657bf52d0f1e87cac54dd0230c4

General

Target

file.exe
Size

1.8MB
MD5

288a06e42d98f0624269f33259a8d969
SHA1

c7aeda50137ddb61af5e321d3612f1cbaac6490a
SHA256

fba703c00aa3908fd7bea1806af74aefba3f3657bf52d0f1e87cac54dd0230c4
SHA512

74eaeb0fe58644fa06030468d835178128f8d0df0399549b7d737da5bfcd4123f471341f760fcb0264fde0f7af056aa8b12ebb4137204227df91e741fc79c337
SSDEEP

49152:IBJjYbVrAXDZhV4hkxcJmjKpEybB5TUXhrt8:y9YVrAlf4hkWKnBRri

Score

10^/10

redline test infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

test

C2

77.91.85.137:81

Attributes

auth_value
eb42c93b96eea8a95189cf1eeb4f7c0b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
1728	Looex32.exe

Loads dropped DLL 5 IoCs

pid	Process
1424	file.exe
1424	file.exe
1424	file.exe
1424	file.exe
1424	file.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 552	1728	Looex32.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
552	AppLaunch.exe
552	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	AppLaunch.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1728	1424	file.exe	27
PID 1424 wrote to memory of 1728	1424	file.exe	27
PID 1424 wrote to memory of 1728	1424	file.exe	27
PID 1424 wrote to memory of 1728	1424	file.exe	27
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29
PID 1728 wrote to memory of 552	1728	Looex32.exe	29

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Looex32.exe

Filesize
318KB

MD5
dedd740ccfb827f92d831a9a61cf2de8

SHA1
57319968b8a3dbf2ae397f3296f75ba7a189ff52

SHA256
1314ae4d6c966cb4a39ea9d59cef4f3c88cd42dc7ee9be25d82e66af6b59e097

SHA512
fe78c1b1ed94019158295fde2631f9cdd12ea5e280b832ed3c0e1569e671590f090719c701e1c421bf79451870697180d4048bddd588792f59e135ab9e7f8eba

Download Submit
memory/552-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/552-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/552-81-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/552-83-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/552-84-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/552-85-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/552-86-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing