redline | 6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe
Size

332KB
MD5

2785970b40ee59c74ed08a80f670cf59
SHA1

3bd513a047d07542923fdda12233b6bfb0d3d4e9
SHA256

6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6
SHA512

1f433a2b25742ef7ae3ec4038d4d42b27b209a33b6feece35f8570925a368b5d5e6edf48d4c100be27c550c5deab479209c33d62f45b07aa4e1e7d1d85033f9c
SSDEEP

6144:T1Bwp/lwz9PI8/T6f5mUz7S3RMyghw1PPmfwjWlltD+0Xp:TPjz9PI8/TzeygSdPIwjWNy0Xp

Score

10^/10

redline 7001210066 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

7001210066

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3488-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
627	pastebin.com
658	pastebin.com
529	pastebin.com
164	pastebin.com
619	pastebin.com
944	pastebin.com
101	pastebin.com
720	pastebin.com
405	pastebin.com
508	pastebin.com
909	pastebin.com
981	pastebin.com
138	pastebin.com
823	pastebin.com
1027	pastebin.com
401	pastebin.com
194	pastebin.com
402	pastebin.com
407	pastebin.com
499	pastebin.com
50	pastebin.com
365	pastebin.com
684	pastebin.com
837	pastebin.com
901	pastebin.com
261	pastebin.com
110	pastebin.com
256	pastebin.com
465	pastebin.com
882	pastebin.com
1001	pastebin.com
81	pastebin.com
559	pastebin.com
609	pastebin.com
479	pastebin.com
515	pastebin.com
518	pastebin.com
641	pastebin.com
773	pastebin.com
939	pastebin.com
502	pastebin.com
587	pastebin.com
617	pastebin.com
660	pastebin.com
790	pastebin.com
879	pastebin.com
124	pastebin.com
620	pastebin.com
812	pastebin.com
321	pastebin.com
451	pastebin.com
994	pastebin.com
6	pastebin.com
1012	pastebin.com
205	pastebin.com
135	pastebin.com
146	pastebin.com
169	pastebin.com
497	pastebin.com
534	pastebin.com
848	pastebin.com
33	pastebin.com
743	pastebin.com
655	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3488	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85
PID 4488 wrote to memory of 3488	4488	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	85

C:\Users\Admin\AppData\Local\Temp\6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe
"C:\Users\Admin\AppData\Local\Temp\6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3488-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3488-3-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/3488-4-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/3488-5-0x0000000005FE0000-0x00000000065F8000-memory.dmp

Filesize
6.1MB

Download
memory/3488-6-0x0000000005A70000-0x0000000005A82000-memory.dmp

Filesize
72KB

Download
memory/3488-7-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

Filesize
1.0MB

Download
memory/3488-8-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/3488-9-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/3488-10-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4488-2-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4488-0-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download