redline | 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
Size

267KB
MD5

75784927e58273f6ed2fea6bfb71fbef
SHA1

5f80cf17578456c4845ecb9eea18ef92fd103bc6
SHA256

0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f
SHA512

fb6febfc3bea565662462dc02326c8c9045d7db170edaa5052e67f7a043c7a03c7d8c33f8e43d32fc5c53e54072c00582553d06cfcef72879b87e1e4716389fe
SSDEEP

6144:XdcllhS4qdxjPxUUsnNJHgYussMG9lpC+2mmKU:Na/SNRWHvussMGbOKU

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4400-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
266	pastebin.com
683	pastebin.com
802	pastebin.com
699	pastebin.com
792	pastebin.com
1014	pastebin.com
369	pastebin.com
455	pastebin.com
841	pastebin.com
1135	pastebin.com
362	pastebin.com
723	pastebin.com
782	pastebin.com
892	pastebin.com
810	pastebin.com
148	pastebin.com
692	pastebin.com
731	pastebin.com
795	pastebin.com
191	pastebin.com
747	pastebin.com
781	pastebin.com
721	pastebin.com
801	pastebin.com
86	pastebin.com
177	pastebin.com
425	pastebin.com
903	pastebin.com
463	pastebin.com
526	pastebin.com
800	pastebin.com
619	pastebin.com
142	pastebin.com
472	pastebin.com
524	pastebin.com
946	pastebin.com
1037	pastebin.com
105	pastebin.com
178	pastebin.com
788	pastebin.com
956	pastebin.com
971	pastebin.com
1104	pastebin.com
123	pastebin.com
234	pastebin.com
473	pastebin.com
139	pastebin.com
386	pastebin.com
999	pastebin.com
460	pastebin.com
50	pastebin.com
58	pastebin.com
415	pastebin.com
408	pastebin.com
109	pastebin.com
256	pastebin.com
318	pastebin.com
438	pastebin.com
566	pastebin.com
941	pastebin.com
23	pastebin.com
571	pastebin.com
725	pastebin.com
765	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4724 set thread context of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4400	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 3364	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	86
PID 4724 wrote to memory of 3364	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	86
PID 4724 wrote to memory of 3364	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	86
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87
PID 4724 wrote to memory of 4400	4724	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	87

C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
"C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4400-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4400-2-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/4400-3-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/4400-4-0x0000000005930000-0x0000000005F48000-memory.dmp

Filesize
6.1MB

Download
memory/4400-5-0x00000000053A0000-0x00000000053B2000-memory.dmp

Filesize
72KB

Download
memory/4400-6-0x00000000054D0000-0x00000000055DA000-memory.dmp

Filesize
1.0MB

Download
memory/4400-7-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4400-8-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/4400-9-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4724-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download