redline | e5331799723ae13300f9a49b5588662a116adf662d373e4fea33c3b13b636b40

General

Target

9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe
Size

329KB
MD5

927fa2810d057f5b7740f9fd3d0af3c9
SHA1

b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256

9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512

54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8
SSDEEP

6144:Y2A0vtQBor7oi2eemoLa9VBdH/Mz1KKd619AqUAwZuav:FA0v4ovo8NoLm5s5duBUAwJ

Score

10^/10

redline @rlreborn cloud tg: @fatherofcarders)discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

C2

141.95.211.148:46011

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1072-5-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe

description	pid	process	target process
PID 4768 set thread context of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exe

pid process

1072 RegAsm.exe
1072 RegAsm.exe
1072 RegAsm.exe
1072 RegAsm.exe
1072 RegAsm.exe
1072 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1072 RegAsm.exe

pid	process
1072	RegAsm.exe
1072	RegAsm.exe
1072	RegAsm.exe
1072	RegAsm.exe
1072	RegAsm.exe
1072	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1072	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe

description	pid	process	target process
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe
PID 4768 wrote to memory of 1072	4768	9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe
"C:\Users\Admin\AppData\Local\Temp\9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-19-0x0000000008090000-0x00000000080DC000-memory.dmp

Filesize
304KB

Download
memory/1072-20-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/1072-14-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/1072-17-0x0000000006590000-0x00000000065A2000-memory.dmp

Filesize
72KB

Download
memory/1072-15-0x0000000006780000-0x0000000006D98000-memory.dmp

Filesize
6.1MB

Download
memory/1072-25-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1072-10-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/1072-11-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1072-12-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/1072-13-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1072-23-0x0000000009400000-0x000000000992C000-memory.dmp

Filesize
5.2MB

Download
memory/1072-22-0x0000000008D00000-0x0000000008EC2000-memory.dmp

Filesize
1.8MB

Download
memory/1072-5-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1072-16-0x0000000006670000-0x000000000677A000-memory.dmp

Filesize
1.0MB

Download
memory/1072-18-0x0000000008040000-0x000000000807C000-memory.dmp

Filesize
240KB

Download
memory/1072-21-0x0000000008AE0000-0x0000000008B30000-memory.dmp

Filesize
320KB

Download
memory/4768-0-0x0000000000880000-0x00000000008D6000-memory.dmp

Filesize
344KB

Download
memory/4768-1-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4768-7-0x0000000002CC0000-0x0000000004CC0000-memory.dmp

Filesize
32.0MB

Download
memory/4768-3-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4768-9-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads