redline | f66854431dc57070e060e776be18cba0992366fab22b71f8cf929b91c81a6c26

Analysis

max time kernel
127s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe
Size

315KB
MD5

3d4c73f2d10c4ea03e9f55af41a02d7f
SHA1

e9f70b120dbab724b88c37161e5df5d8607d7500
SHA256

2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f
SHA512

05122b99c10edc0ea4b69f471daf0ce182268d505166e05a69757016f7f87b5e031911c8efd0e6722691b236df5bf2bef74f7a315d9c6c2c6d1e363bf9d98f27
SSDEEP

6144:rI9pI60nbM8uPZy3+8KID2YuDUtMXVgbhAZdxldn+kXHS:s9+60nbnuNYV2glAnjJZHS

Score

10^/10

redline 5345987420 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5345987420

https://pastebin.com/raw/KE5Mft0T

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral8/memory/1228-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

19 pastebin.com
34 pastebin.com
39 pastebin.com
45 pastebin.com
46 pastebin.com
18 pastebin.com

flow	ioc
19	pastebin.com
34	pastebin.com
39	pastebin.com
45	pastebin.com
46	pastebin.com
18	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe

description	pid	process	target process
PID 2160 set thread context of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

1228 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1228 RegAsm.exe

pid	process
1228	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1228	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe

description	pid	process	target process
PID 2160 wrote to memory of 4816	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 4816	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 4816	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 3740	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 3740	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 3740	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 3556	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 3556	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 3556	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe
PID 2160 wrote to memory of 1228	2160	2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe
"C:\Users\Admin\AppData\Local\Temp\2d1e7e578c80b8d8058a776542e88f81546a3603e80751bef11e72c2329d748f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1228-2-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1228-3-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/1228-4-0x00000000061D0000-0x00000000067E8000-memory.dmp

Filesize
6.1MB

Download
memory/1228-5-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/1228-6-0x0000000005D60000-0x0000000005E6A000-memory.dmp

Filesize
1.0MB

Download
memory/1228-7-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-8-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1228-9-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2160-0-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download