redline | 7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe
Size

267KB
MD5

aeaa53c59a3e130c91c0e738f581ff11
SHA1

209fabb8d4cbc8d4eb840101b0868d949b33d627
SHA256

7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539
SHA512

96c28954ba3e7d5ef06b4afef526e3ac628b86adfa29fb9e08bbd5482b8af0ef748afa1d1bdb36218a9e586803dd31d2c01a916d419c8294d446e49157746cc3
SSDEEP

6144:LvcllhS4qdxjPxUUsDncM1E7aQASk5WtdYOBWwDmmKU:ba/SNR9UlSkkvew3KU

Score

10^/10

redline 7001210066 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

7001210066

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1600-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
887	pastebin.com
1275	pastebin.com
1349	pastebin.com
1728	pastebin.com
889	pastebin.com
948	pastebin.com
1235	pastebin.com
504	pastebin.com
1512	pastebin.com
320	pastebin.com
415	pastebin.com
1364	pastebin.com
777	pastebin.com
1801	pastebin.com
239	pastebin.com
649	pastebin.com
678	pastebin.com
585	pastebin.com
1402	pastebin.com
1476	pastebin.com
951	pastebin.com
1372	pastebin.com
1459	pastebin.com
534	pastebin.com
1140	pastebin.com
205	pastebin.com
1220	pastebin.com
1626	pastebin.com
640	pastebin.com
809	pastebin.com
1072	pastebin.com
1458	pastebin.com
632	pastebin.com
656	pastebin.com
1033	pastebin.com
1152	pastebin.com
1244	pastebin.com
1499	pastebin.com
1598	pastebin.com
29	pastebin.com
399	pastebin.com
888	pastebin.com
981	pastebin.com
991	pastebin.com
1496	pastebin.com
1782	pastebin.com
554	pastebin.com
676	pastebin.com
738	pastebin.com
116	pastebin.com
705	pastebin.com
1502	pastebin.com
1198	pastebin.com
1313	pastebin.com
391	pastebin.com
730	pastebin.com
1493	pastebin.com
1044	pastebin.com
1564	pastebin.com
1399	pastebin.com
32	pastebin.com
136	pastebin.com
1212	pastebin.com
1737	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1600	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82
PID 3260 wrote to memory of 1600	3260	7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe	82

C:\Users\Admin\AppData\Local\Temp\7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe
"C:\Users\Admin\AppData\Local\Temp\7ea22fbd62c7190c5ab3a5ac8f0f22899b0d7972bc9f642fbfbd2bf8e8aa5539.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1600-2-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/1600-3-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/1600-4-0x0000000005F70000-0x0000000006588000-memory.dmp

Filesize
6.1MB

Download
memory/1600-5-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download
memory/1600-6-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

Filesize
1.0MB

Download
memory/1600-7-0x0000000074F00000-0x00000000756B1000-memory.dmp

Filesize
7.7MB

Download
memory/1600-8-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/1600-9-0x0000000074F00000-0x00000000756B1000-memory.dmp

Filesize
7.7MB

Download
memory/3260-1-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download