redline | 1551371a8c26e90e3ce229fd4f68351373e6bafcd7cfbe51e4892605bda772d0

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2023 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e3ce5f9cff3521b4e443a7a98955ab.bin.exe
Size

1.2MB
MD5

02e3ce5f9cff3521b4e443a7a98955ab
SHA1

d022344ccf678b0d70f29770e54f836fb20eb737
SHA256

1551371a8c26e90e3ce229fd4f68351373e6bafcd7cfbe51e4892605bda772d0
SHA512

1ee18cda37cab9a25117fc609a6ecc088d89c40267679bb5e3b383e663e174996ab7c57a7a8d2d7ba92f33c40bcfd960ca94243902946fc9377a0780a0fa422d
SSDEEP

6144:SBsloyGJpqpn9PZZiQ3/0tAOVfuuJR+BnuonkENk6C8ZmMxonUMFO/NogCP2:S6XGJpqdNctbfpInuokWk6leQ2P2

Score

10^/10

redline @sogood1337 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

@sogood1337

94.142.138.4:80

Attributes

auth_value
55bcb57dbab66d380a24118a44c40da2

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
448	InstallUtil.exe
448	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84
PID 4968 wrote to memory of 448	4968	02e3ce5f9cff3521b4e443a7a98955ab.bin.exe	84

C:\Users\Admin\AppData\Local\Temp\02e3ce5f9cff3521b4e443a7a98955ab.bin.exe
"C:\Users\Admin\AppData\Local\Temp\02e3ce5f9cff3521b4e443a7a98955ab.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/448-134-0x000000000B280000-0x000000000B898000-memory.dmp

Filesize
6.1MB

Download
memory/448-135-0x000000000CC50000-0x000000000CD5A000-memory.dmp

Filesize
1.0MB

Download
memory/448-136-0x000000000CB60000-0x000000000CB72000-memory.dmp

Filesize
72KB

Download
memory/448-137-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/448-138-0x000000000CBC0000-0x000000000CBFC000-memory.dmp

Filesize
240KB

Download
memory/448-139-0x000000000D740000-0x000000000D7B6000-memory.dmp

Filesize
472KB

Download
memory/448-140-0x000000000D860000-0x000000000D8F2000-memory.dmp

Filesize
584KB

Download
memory/448-141-0x000000000E3F0000-0x000000000E994000-memory.dmp

Filesize
5.6MB

Download
memory/448-142-0x000000000DEF0000-0x000000000DF56000-memory.dmp

Filesize
408KB

Download
memory/448-143-0x000000000DFB0000-0x000000000E000000-memory.dmp

Filesize
320KB

Download
memory/448-144-0x000000000E1D0000-0x000000000E392000-memory.dmp

Filesize
1.8MB

Download
memory/448-145-0x000000000EED0000-0x000000000F3FC000-memory.dmp

Filesize
5.2MB

Download
memory/448-146-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/448-147-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download