redline | 0f49d4879b83235428a204edb905ca7e822ce4374c90c8321951a85193e0837b

General

Target

Comet Executor/Comet.exe
Size

350.0MB
MD5

b7fe913c365f483fc79be7d81c7445c2
SHA1

23cfb242c4610f3de72521f78c8af219dac57451
SHA256

72d28771d21b24cadbd362ca08e16653d13080c3551e6b1dec4f32132d7a1bee
SHA512

ff7cea53e441fd56f1b36672b5338c725477b5960fb279d141f7f4c04f5750ad88c645d94b942c4f9cf007f52850b708205ec1c732aeea05a9cf1a4e070a5fb1
SSDEEP

24576:rcfBkcC1amUUoLK4N8vnxQtQHEZe0EVzkLzgjcV4CKo0/fOA2tdvU/:rcfKcF9dN86/bE2AcV4Cf0OtxU

Score

10^/10

redline @dxrkl0rd discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

C2

91.103.252.8:29975

Attributes

auth_value
9750c50e8073b21d538cfb6d993427dc

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Comet.exe

description pid process target process

PID 856 set thread context of 2092 856 Comet.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

2092 RegAsm.exe
2092 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Comet.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 856 Comet.exe
Token: SeDebugPrivilege 2092 RegAsm.exe

description	pid	process	target process
PID 856 set thread context of 2092	856	Comet.exe	RegAsm.exe

pid	process
2092	RegAsm.exe
2092	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	856	Comet.exe
Token: SeDebugPrivilege	2092	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Comet.exe

description	pid	process	target process
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe
PID 856 wrote to memory of 2092	856	Comet.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Comet Executor\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet Executor\Comet.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-133-0x0000000000900000-0x0000000000CD4000-memory.dmp

Filesize
3.8MB

Download
memory/856-134-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-135-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-137-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-139-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-143-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-141-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-145-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-147-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-149-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-151-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-153-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-155-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-157-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-159-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-161-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-163-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-165-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-167-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-169-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-171-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-173-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-175-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-177-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-179-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-181-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-183-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-185-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-187-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-189-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-191-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-193-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-195-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-197-0x00000000055E0000-0x000000000564F000-memory.dmp

Filesize
444KB

Download
memory/856-216-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/856-217-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/856-218-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/856-219-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/2092-222-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2092-223-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/2092-224-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/2092-225-0x00000000051A0000-0x00000000052AA000-memory.dmp

Filesize
1.0MB

Download
memory/2092-226-0x00000000050D0000-0x000000000510C000-memory.dmp

Filesize
240KB

Download
memory/2092-227-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/2092-228-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/2092-229-0x00000000060E0000-0x0000000006156000-memory.dmp

Filesize
472KB

Download
memory/2092-230-0x0000000006080000-0x000000000609E000-memory.dmp

Filesize
120KB

Download
memory/2092-231-0x0000000006200000-0x0000000006250000-memory.dmp

Filesize
320KB

Download
memory/2092-232-0x0000000006D90000-0x0000000006F52000-memory.dmp

Filesize
1.8MB

Download
memory/2092-233-0x0000000007490000-0x00000000079BC000-memory.dmp

Filesize
5.2MB

Download

Resubmissions

Analysis

Sharing