redline | c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66

General

Target

5bec555084177862a21eba17b75d068f.exe
Size

1.6MB
MD5

5bec555084177862a21eba17b75d068f
SHA1

5492298dc817a9d9cf2af44b7c228770541da2ce
SHA256

c9030652b5ad2388542a4f54208bb717b82fb19d1ff34289a77ebb65e9ee7b66
SHA512

cd5809d3f40e944177e0e8d64a2df71d60872cbe41cab8b530eacecfa2615646dbd53ad035659e384ac1bdad9841e7495c5cb44bd17698863bc3efab0514abb9
SSDEEP

12288:hzFb61WSg1Hf4J/gjbrVkH0HprhYkfDFQJ2i1Z/cqOWehbDFuDjR8j97OM+fwQ:tr1HfY/gjbrVrB8/cqOWaDHkbfw

Score

10^/10

redline 1red1 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

1red1

C2

77.246.110.195:8599

Attributes

auth_value
743c159c0234992dee4975bf5855347b

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3336	winx32apideftype.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3296 set thread context of 4188	3296	5bec555084177862a21eba17b75d068f.exe	87
PID 3336 set thread context of 4560	3336	winx32apideftype.exe	100

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3544	3296	WerFault.exe	84
3844	3336	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4188	AppLaunch.exe
4188	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	AppLaunch.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4188	3296	5bec555084177862a21eba17b75d068f.exe	87
PID 3296 wrote to memory of 4188	3296	5bec555084177862a21eba17b75d068f.exe	87
PID 3296 wrote to memory of 4188	3296	5bec555084177862a21eba17b75d068f.exe	87
PID 3296 wrote to memory of 4188	3296	5bec555084177862a21eba17b75d068f.exe	87
PID 3296 wrote to memory of 4188	3296	5bec555084177862a21eba17b75d068f.exe	87
PID 4188 wrote to memory of 3336	4188	AppLaunch.exe	98
PID 4188 wrote to memory of 3336	4188	AppLaunch.exe	98
PID 4188 wrote to memory of 3336	4188	AppLaunch.exe	98
PID 3336 wrote to memory of 4560	3336	winx32apideftype.exe	100
PID 3336 wrote to memory of 4560	3336	winx32apideftype.exe	100
PID 3336 wrote to memory of 4560	3336	winx32apideftype.exe	100
PID 3336 wrote to memory of 4560	3336	winx32apideftype.exe	100
PID 3336 wrote to memory of 4560	3336	winx32apideftype.exe	100

C:\Users\Admin\AppData\Local\Temp\5bec555084177862a21eba17b75d068f.exe
"C:\Users\Admin\AppData\Local\Temp\5bec555084177862a21eba17b75d068f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\winx32apideftype.exe
    "C:\Users\Admin\AppData\Local\Temp\winx32apideftype.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 300
      4⤵
      Program crash
      PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 152
  2⤵
  - Program crash
  PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3296 -ip 3296
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3336 -ip 3336
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winx32apideftype.exe

Filesize
4.4MB

MD5
5e940e205fc8cd397c28682a5092cf40

SHA1
245cc5d940b7cdb15e705b58ba89d0b2326fb257

SHA256
042931c5b993c3d97a74c618e8e4bfe98915747014dc91c6d4ebd019588e5d00

SHA512
aad86c4e26a4b9c2d9eaa0cc5c70a699ec793691095dd659b9b0b16fac2a5f449df92a362df29aca5c6431614321fad6123ceb511119a7a069aa0b11a0dc4478

Download Submit
C:\Users\Admin\AppData\Local\Temp\winx32apideftype.exe

Filesize
4.4MB

MD5
5e940e205fc8cd397c28682a5092cf40

SHA1
245cc5d940b7cdb15e705b58ba89d0b2326fb257

SHA256
042931c5b993c3d97a74c618e8e4bfe98915747014dc91c6d4ebd019588e5d00

SHA512
aad86c4e26a4b9c2d9eaa0cc5c70a699ec793691095dd659b9b0b16fac2a5f449df92a362df29aca5c6431614321fad6123ceb511119a7a069aa0b11a0dc4478

Download Submit
C:\Users\Admin\AppData\Local\Temp\winx32apideftype.exe

Filesize
4.4MB

MD5
5e940e205fc8cd397c28682a5092cf40

SHA1
245cc5d940b7cdb15e705b58ba89d0b2326fb257

SHA256
042931c5b993c3d97a74c618e8e4bfe98915747014dc91c6d4ebd019588e5d00

SHA512
aad86c4e26a4b9c2d9eaa0cc5c70a699ec793691095dd659b9b0b16fac2a5f449df92a362df29aca5c6431614321fad6123ceb511119a7a069aa0b11a0dc4478

Download Submit
memory/3296-133-0x00000000002D0000-0x00000000004BD000-memory.dmp

Filesize
1.9MB

Download
memory/3296-134-0x00000000002D0000-0x00000000004BD000-memory.dmp

Filesize
1.9MB

Download
memory/3336-168-0x0000000000280000-0x0000000000734000-memory.dmp

Filesize
4.7MB

Download
memory/3336-162-0x0000000000280000-0x0000000000734000-memory.dmp

Filesize
4.7MB

Download
memory/4188-144-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/4188-143-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4188-146-0x00000000055A0000-0x0000000005616000-memory.dmp

Filesize
472KB

Download
memory/4188-147-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4188-148-0x0000000006900000-0x0000000006EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4188-149-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4188-150-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4188-151-0x00000000067C0000-0x0000000006810000-memory.dmp

Filesize
320KB

Download
memory/4188-152-0x0000000008E90000-0x0000000009052000-memory.dmp

Filesize
1.8MB

Download
memory/4188-153-0x0000000009590000-0x0000000009ABC000-memory.dmp

Filesize
5.2MB

Download
memory/4188-154-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4188-145-0x00000000052A0000-0x00000000052DC000-memory.dmp

Filesize
240KB

Download
memory/4188-142-0x0000000005330000-0x000000000543A000-memory.dmp

Filesize
1.0MB

Download
memory/4188-141-0x0000000005840000-0x0000000005E58000-memory.dmp

Filesize
6.1MB

Download
memory/4188-140-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4188-165-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4188-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4560-166-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4560-186-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4560-187-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4560-188-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4560-191-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing