redline | 6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09/05/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe
Size

332KB
MD5

2785970b40ee59c74ed08a80f670cf59
SHA1

3bd513a047d07542923fdda12233b6bfb0d3d4e9
SHA256

6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6
SHA512

1f433a2b25742ef7ae3ec4038d4d42b27b209a33b6feece35f8570925a368b5d5e6edf48d4c100be27c550c5deab479209c33d62f45b07aa4e1e7d1d85033f9c
SSDEEP

6144:T1Bwp/lwz9PI8/T6f5mUz7S3RMyghw1PPmfwjWlltD+0Xp:TPjz9PI8/TzeygSdPIwjWNy0Xp

Score

10^/10

redline 7001210066 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

7001210066

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1708-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
687	pastebin.com
692	pastebin.com
228	pastebin.com
237	pastebin.com
241	pastebin.com
296	pastebin.com
329	pastebin.com
336	pastebin.com
413	pastebin.com
761	pastebin.com
233	pastebin.com
420	pastebin.com
913	pastebin.com
16	pastebin.com
271	pastebin.com
70	pastebin.com
342	pastebin.com
428	pastebin.com
816	pastebin.com
823	pastebin.com
181	pastebin.com
478	pastebin.com
481	pastebin.com
578	pastebin.com
660	pastebin.com
104	pastebin.com
314	pastebin.com
426	pastebin.com
518	pastebin.com
760	pastebin.com
555	pastebin.com
717	pastebin.com
351	pastebin.com
398	pastebin.com
468	pastebin.com
774	pastebin.com
800	pastebin.com
185	pastebin.com
411	pastebin.com
57	pastebin.com
614	pastebin.com
615	pastebin.com
758	pastebin.com
71	pastebin.com
169	pastebin.com
279	pastebin.com
451	pastebin.com
837	pastebin.com
145	pastebin.com
236	pastebin.com
607	pastebin.com
874	pastebin.com
294	pastebin.com
308	pastebin.com
327	pastebin.com
613	pastebin.com
644	pastebin.com
304	pastebin.com
735	pastebin.com
68	pastebin.com
216	pastebin.com
66	pastebin.com
132	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1708	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81
PID 4304 wrote to memory of 1708	4304	6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe	81

C:\Users\Admin\AppData\Local\Temp\6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe
"C:\Users\Admin\AppData\Local\Temp\6741290e801efcde6acb6ff03e3b543463bf7bd399a10f6544af419f932321c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1708-3-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/1708-4-0x0000000004AB0000-0x0000000004B16000-memory.dmp

Filesize
408KB

Download
memory/1708-5-0x0000000005630000-0x0000000005C48000-memory.dmp

Filesize
6.1MB

Download
memory/1708-6-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/1708-7-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/1708-8-0x00000000746F0000-0x0000000074EA1000-memory.dmp

Filesize
7.7MB

Download
memory/1708-9-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/1708-10-0x00000000746F0000-0x0000000074EA1000-memory.dmp

Filesize
7.7MB

Download
memory/4304-0-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/4304-2-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download