redline | a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe
Size

333KB
MD5

824449809c7eaa6a6e9fe32461a8f643
SHA1

b41a493bd8479c5af9285c879d516a1ca74fca2d
SHA256

a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954
SHA512

c96363fb9526708fe0be595789632d4c4a6150839b08c25fd98f50d25bc4abf3970878057a5d25f72e2201ed64677f2b6ca3db6444f5b780b6028b3e01e6d759
SSDEEP

6144:A1RwZfFQDOioMvzATd5W0jbSXRYyghTqjjjjjjjstrw0mFmjgfaX1RtX+0Xp:A/zDOioMvzA+iygRqjjjjjjjst00mFpw

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3540-2-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
88	pastebin.com
155	pastebin.com
392	pastebin.com
420	pastebin.com
524	pastebin.com
589	pastebin.com
140	pastebin.com
230	pastebin.com
404	pastebin.com
634	pastebin.com
761	pastebin.com
325	pastebin.com
434	pastebin.com
466	pastebin.com
885	pastebin.com
537	pastebin.com
566	pastebin.com
206	pastebin.com
490	pastebin.com
572	pastebin.com
884	pastebin.com
610	pastebin.com
713	pastebin.com
334	pastebin.com
454	pastebin.com
552	pastebin.com
866	pastebin.com
385	pastebin.com
528	pastebin.com
367	pastebin.com
400	pastebin.com
549	pastebin.com
825	pastebin.com
221	pastebin.com
561	pastebin.com
709	pastebin.com
760	pastebin.com
222	pastebin.com
232	pastebin.com
843	pastebin.com
853	pastebin.com
373	pastebin.com
159	pastebin.com
101	pastebin.com
712	pastebin.com
773	pastebin.com
730	pastebin.com
218	pastebin.com
264	pastebin.com
363	pastebin.com
414	pastebin.com
616	pastebin.com
694	pastebin.com
418	pastebin.com
59	pastebin.com
769	pastebin.com
145	pastebin.com
148	pastebin.com
360	pastebin.com
632	pastebin.com
568	pastebin.com
870	pastebin.com
83	pastebin.com
164	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3540	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1248	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	92
PID 4000 wrote to memory of 1248	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	92
PID 4000 wrote to memory of 1248	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	92
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93
PID 4000 wrote to memory of 3540	4000	a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe	93

C:\Users\Admin\AppData\Local\Temp\a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe
"C:\Users\Admin\AppData\Local\Temp\a80924711e9ec6f6d75c4777a147cfbc4b28ae85715577b8057675a635256954.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3540-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3540-4-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3540-5-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/3540-6-0x00000000063C0000-0x00000000069D8000-memory.dmp

Filesize
6.1MB

Download
memory/3540-7-0x0000000005DE0000-0x0000000005DF2000-memory.dmp

Filesize
72KB

Download
memory/3540-8-0x0000000005F10000-0x000000000601A000-memory.dmp

Filesize
1.0MB

Download
memory/3540-9-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3540-10-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3540-11-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4000-0-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4000-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4000-3-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download