redline | e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe
Size

267KB
MD5

1dd956432ba3549c9057a813ce1da45a
SHA1

5ec1dd14edaea860dc42b6d3367da4ad40266670
SHA256

e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6
SHA512

18d390a4948c14ff0e8ec762f9259a557040338f8d96861b1c113d44ff47bdfba5e79541dc7e8890fcf2edbdd40169645872f7b0b5494ecb2cd0cb2cc0d371b8
SSDEEP

6144:ninEWzOQed1/zlIoJ7oUZdY9mUfG/upCmk201XmKU:inBzOxhtZdk7G/upntKU

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/532-0-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
394	pastebin.com
569	pastebin.com
725	pastebin.com
771	pastebin.com
968	pastebin.com
651	pastebin.com
1266	pastebin.com
222	pastebin.com
1169	pastebin.com
654	pastebin.com
801	pastebin.com
1049	pastebin.com
1275	pastebin.com
1437	pastebin.com
87	pastebin.com
1068	pastebin.com
1393	pastebin.com
1469	pastebin.com
1677	pastebin.com
80	pastebin.com
120	pastebin.com
219	pastebin.com
284	pastebin.com
688	pastebin.com
524	pastebin.com
544	pastebin.com
1093	pastebin.com
37	pastebin.com
207	pastebin.com
952	pastebin.com
1048	pastebin.com
1267	pastebin.com
686	pastebin.com
926	pastebin.com
1666	pastebin.com
1707	pastebin.com
142	pastebin.com
206	pastebin.com
235	pastebin.com
1015	pastebin.com
1224	pastebin.com
538	pastebin.com
1348	pastebin.com
377	pastebin.com
947	pastebin.com
105	pastebin.com
836	pastebin.com
1039	pastebin.com
123	pastebin.com
348	pastebin.com
1593	pastebin.com
528	pastebin.com
631	pastebin.com
1210	pastebin.com
36	pastebin.com
86	pastebin.com
1490	pastebin.com
1549	pastebin.com
112	pastebin.com
1353	pastebin.com
350	pastebin.com
1539	pastebin.com
149	pastebin.com
349	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4776 set thread context of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
532	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92
PID 4776 wrote to memory of 532	4776	e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe	92

C:\Users\Admin\AppData\Local\Temp\e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe
"C:\Users\Admin\AppData\Local\Temp\e0c1ee8e6f795e069042b51355813c0253e91843636732ad8037c10eaa8939b6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/532-1-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/532-2-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/532-3-0x0000000005D10000-0x0000000006328000-memory.dmp

Filesize
6.1MB

Download
memory/532-4-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/532-5-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/532-6-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/532-7-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/532-8-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download