redline | 2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
09-05-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe
Size

267KB
MD5

ef9ca70006456b5454a91555a50f9838
SHA1

75721a16ad42f6494479ff6be2527b76af41c5d6
SHA256

2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1
SHA512

c432b80d2e5392c6b6117178544943b907ea7e0ebf74c87a0bd28f51cf3c84feaf4c22fea2d9533288fe7585a85d5cd921707df5208049d667145866e0ca4253
SSDEEP

6144:4YcllhS4qdxjPxUUsOhETPDJtNJEQcwbOFRcmmKU:na/SNRqJtf/cOsEKU

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4864-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
993	pastebin.com
1044	pastebin.com
1097	pastebin.com
588	pastebin.com
726	pastebin.com
894	pastebin.com
621	pastebin.com
1318	pastebin.com
1404	pastebin.com
26	pastebin.com
156	pastebin.com
316	pastebin.com
1530	pastebin.com
368	pastebin.com
480	pastebin.com
780	pastebin.com
997	pastebin.com
149	pastebin.com
301	pastebin.com
1236	pastebin.com
1340	pastebin.com
499	pastebin.com
814	pastebin.com
953	pastebin.com
1462	pastebin.com
320	pastebin.com
766	pastebin.com
1028	pastebin.com
1237	pastebin.com
1566	pastebin.com
1362	pastebin.com
151	pastebin.com
349	pastebin.com
618	pastebin.com
161	pastebin.com
656	pastebin.com
843	pastebin.com
1076	pastebin.com
749	pastebin.com
957	pastebin.com
61	pastebin.com
495	pastebin.com
1134	pastebin.com
1335	pastebin.com
1424	pastebin.com
1548	pastebin.com
1650	pastebin.com
622	pastebin.com
808	pastebin.com
1017	pastebin.com
1670	pastebin.com
558	pastebin.com
1082	pastebin.com
1344	pastebin.com
927	pastebin.com
1086	pastebin.com
1417	pastebin.com
538	pastebin.com
732	pastebin.com
1390	pastebin.com
43	pastebin.com
476	pastebin.com
1415	pastebin.com
117	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3908 set thread context of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4864	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82
PID 3908 wrote to memory of 4864	3908	2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe	82

C:\Users\Admin\AppData\Local\Temp\2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe
"C:\Users\Admin\AppData\Local\Temp\2fef5824862e6a49e4ccc50a4a2a852a593376f7ea95f715530f943ba49fe6f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3908-0-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4864-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4864-2-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/4864-3-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4864-4-0x00000000064C0000-0x0000000006AD8000-memory.dmp

Filesize
6.1MB

Download
memory/4864-5-0x0000000005EE0000-0x0000000005EF2000-memory.dmp

Filesize
72KB

Download
memory/4864-6-0x0000000006010000-0x000000000611A000-memory.dmp

Filesize
1.0MB

Download
memory/4864-7-0x0000000074BC0000-0x0000000075371000-memory.dmp

Filesize
7.7MB

Download
memory/4864-8-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/4864-9-0x0000000074BC0000-0x0000000075371000-memory.dmp

Filesize
7.7MB

Download