redline | 4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b

General

Target

4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe
Size

381KB
MD5

e95dee5fcd5037f1008ddd5d310a8b58
SHA1

c372b99011b22f41386cff26087d6848191d545d
SHA256

4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b
SHA512

41b64a5bdeef61e70177d76ca039da3a86d51902e67d798148974d51ebab0445e8776ba8f4a383b7c891c6d5a76fd61e9118b45f5c07f1df06b63967a25ae11b
SSDEEP

6144:ORCulXui16lr+3jHBwDp6mAOfHPJNkivgHhlUpNn3WUzjwwc33viKC:ORnui16lrgmVHRwImyjjcPiKC

Score

10^/10

redline unique285 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

unique285

C2

194.169.175.232:45451

Attributes

auth_value
1ed06994a9a19d3729019cb69c1f61a6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	2100	WerFault.exe	21

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3040	AppLaunch.exe
3040	AppLaunch.exe
3040	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 3040	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	31
PID 2100 wrote to memory of 2772	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	32
PID 2100 wrote to memory of 2772	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	32
PID 2100 wrote to memory of 2772	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	32
PID 2100 wrote to memory of 2772	2100	4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe	32

C:\Users\Admin\AppData\Local\Temp\4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe
"C:\Users\Admin\AppData\Local\Temp\4f3ab894e7b94d0026ec632c24ebe877c8cb33c34dd77fbf0f967de5f3861e2b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 120
  2⤵
  - Program crash
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-5-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-11-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-12-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/3040-13-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/3040-14-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-15-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/3040-16-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing