redline | d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe
Size

267KB
MD5

05b102d752449032328faa14fd7e86a2
SHA1

1742cd2294c0002e1a220e190bfc13e7595b89ba
SHA256

d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3
SHA512

81988ba2061b0b2f3bf2909ab2f14ca1284115cc224d3e638f54bce449ba465f73feebd675aa0ec828531313d2266f5f9fb22848ba68b90f1acda0fd21a8d4ec
SSDEEP

6144:CHcllhS4qdxjPxUUsg4onGNm00xlwXTed6mmKU:Wa/SNRYoUEGggKU

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5620-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
756	pastebin.com
319	pastebin.com
790	pastebin.com
814	pastebin.com
97	pastebin.com
246	pastebin.com
482	pastebin.com
487	pastebin.com
163	pastebin.com
428	pastebin.com
438	pastebin.com
475	pastebin.com
616	pastebin.com
868	pastebin.com
527	pastebin.com
578	pastebin.com
656	pastebin.com
858	pastebin.com
186	pastebin.com
443	pastebin.com
595	pastebin.com
640	pastebin.com
747	pastebin.com
104	pastebin.com
128	pastebin.com
564	pastebin.com
635	pastebin.com
654	pastebin.com
122	pastebin.com
693	pastebin.com
233	pastebin.com
464	pastebin.com
883	pastebin.com
18	pastebin.com
112	pastebin.com
821	pastebin.com
347	pastebin.com
829	pastebin.com
282	pastebin.com
484	pastebin.com
497	pastebin.com
603	pastebin.com
728	pastebin.com
151	pastebin.com
457	pastebin.com
694	pastebin.com
881	pastebin.com
437	pastebin.com
461	pastebin.com
681	pastebin.com
791	pastebin.com
844	pastebin.com
19	pastebin.com
326	pastebin.com
507	pastebin.com
673	pastebin.com
696	pastebin.com
864	pastebin.com
335	pastebin.com
529	pastebin.com
56	pastebin.com
158	pastebin.com
261	pastebin.com
337	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5620	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5620	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88
PID 2136 wrote to memory of 5620	2136	d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe	88

C:\Users\Admin\AppData\Local\Temp\d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe
"C:\Users\Admin\AppData\Local\Temp\d2dd1f1ad181a273e50066e292dedb9817b75a20b33c5ac93bb4ba757bffc2b3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-1-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/5620-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5620-2-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/5620-3-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/5620-4-0x00000000062E0000-0x00000000068F8000-memory.dmp

Filesize
6.1MB

Download
memory/5620-5-0x0000000005D70000-0x0000000005D82000-memory.dmp

Filesize
72KB

Download
memory/5620-6-0x0000000005EA0000-0x0000000005FAA000-memory.dmp

Filesize
1.0MB

Download
memory/5620-7-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/5620-8-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/5620-9-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download