redline | 2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe
Size

267KB
MD5

ef9ca70006456b5454a91555a50f9838
SHA1

75721a16ad42f6494479ff6be2527b76af41c5d6
SHA256

2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1
SHA512

c432b80d2e5392c6b6117178544943b907ea7e0ebf74c87a0bd28f51cf3c84feaf4c22fea2d9533288fe7585a85d5cd921707df5208049d667145866e0ca4253
SSDEEP

6144:4YcllhS4qdxjPxUUsOhETPDJtNJEQcwbOFRcmmKU:na/SNRqJtf/cOsEKU

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1892-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
281	pastebin.com
561	pastebin.com
1066	pastebin.com
1261	pastebin.com
343	pastebin.com
425	pastebin.com
565	pastebin.com
814	pastebin.com
974	pastebin.com
1077	pastebin.com
1210	pastebin.com
1218	pastebin.com
1711	pastebin.com
41	pastebin.com
1462	pastebin.com
82	pastebin.com
282	pastebin.com
398	pastebin.com
618	pastebin.com
1230	pastebin.com
1283	pastebin.com
1317	pastebin.com
227	pastebin.com
249	pastebin.com
264	pastebin.com
384	pastebin.com
1282	pastebin.com
300	pastebin.com
605	pastebin.com
669	pastebin.com
997	pastebin.com
1440	pastebin.com
108	pastebin.com
748	pastebin.com
964	pastebin.com
998	pastebin.com
1549	pastebin.com
347	pastebin.com
1419	pastebin.com
1731	pastebin.com
495	pastebin.com
131	pastebin.com
353	pastebin.com
862	pastebin.com
1029	pastebin.com
1089	pastebin.com
1408	pastebin.com
201	pastebin.com
1175	pastebin.com
1721	pastebin.com
941	pastebin.com
1420	pastebin.com
588	pastebin.com
825	pastebin.com
639	pastebin.com
768	pastebin.com
797	pastebin.com
1381	pastebin.com
1402	pastebin.com
323	pastebin.com
502	pastebin.com
868	pastebin.com
1060	pastebin.com
1365	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1892	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1584	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	85
PID 1780 wrote to memory of 1584	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	85
PID 1780 wrote to memory of 1584	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	85
PID 1780 wrote to memory of 4324	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	86
PID 1780 wrote to memory of 4324	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	86
PID 1780 wrote to memory of 4324	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	86
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87
PID 1780 wrote to memory of 1892	1780	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	87

C:\Users\Admin\AppData\Local\Temp\2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe
"C:\Users\Admin\AppData\Local\Temp\2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-0-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1892-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1892-2-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/1892-3-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1892-4-0x0000000006180000-0x0000000006798000-memory.dmp

Filesize
6.1MB

Download
memory/1892-5-0x0000000005BE0000-0x0000000005BF2000-memory.dmp

Filesize
72KB

Download
memory/1892-6-0x0000000005D10000-0x0000000005E1A000-memory.dmp

Filesize
1.0MB

Download
memory/1892-7-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/1892-8-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/1892-9-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download