redline | 0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
Size

267KB
MD5

75784927e58273f6ed2fea6bfb71fbef
SHA1

5f80cf17578456c4845ecb9eea18ef92fd103bc6
SHA256

0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f
SHA512

fb6febfc3bea565662462dc02326c8c9045d7db170edaa5052e67f7a043c7a03c7d8c33f8e43d32fc5c53e54072c00582553d06cfcef72879b87e1e4716389fe
SSDEEP

6144:XdcllhS4qdxjPxUUsnNJHgYussMG9lpC+2mmKU:Na/SNRWHvussMGbOKU

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2524-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
216	pastebin.com
291	pastebin.com
308	pastebin.com
879	pastebin.com
985	pastebin.com
1052	pastebin.com
81	pastebin.com
278	pastebin.com
606	pastebin.com
243	pastebin.com
249	pastebin.com
387	pastebin.com
810	pastebin.com
1016	pastebin.com
633	pastebin.com
85	pastebin.com
99	pastebin.com
124	pastebin.com
130	pastebin.com
236	pastebin.com
310	pastebin.com
577	pastebin.com
960	pastebin.com
299	pastebin.com
950	pastebin.com
77	pastebin.com
599	pastebin.com
608	pastebin.com
663	pastebin.com
848	pastebin.com
6	pastebin.com
117	pastebin.com
350	pastebin.com
489	pastebin.com
639	pastebin.com
61	pastebin.com
483	pastebin.com
998	pastebin.com
63	pastebin.com
541	pastebin.com
699	pastebin.com
791	pastebin.com
572	pastebin.com
659	pastebin.com
737	pastebin.com
945	pastebin.com
436	pastebin.com
449	pastebin.com
463	pastebin.com
690	pastebin.com
715	pastebin.com
1061	pastebin.com
7	pastebin.com
29	pastebin.com
52	pastebin.com
551	pastebin.com
605	pastebin.com
920	pastebin.com
467	pastebin.com
748	pastebin.com
757	pastebin.com
911	pastebin.com
150	pastebin.com
613	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83
PID 2552 wrote to memory of 2524	2552	0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe	83

C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe
"C:\Users\Admin\AppData\Local\Temp\0f4dcff379d19d306dfc50eb6cbf1cb259e73762b1b13d8427874b87efe4807f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2524-2-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2524-3-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/2524-4-0x0000000005CE0000-0x00000000062F8000-memory.dmp

Filesize
6.1MB

Download
memory/2524-5-0x0000000005720000-0x0000000005732000-memory.dmp

Filesize
72KB

Download
memory/2524-6-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/2524-7-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2524-8-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2524-9-0x0000000074360000-0x0000000074B11000-memory.dmp

Filesize
7.7MB

Download
memory/2552-1-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download