redline | f10e15ec0b0ed8ea201ac5f07b1bf547d3c592d3b1a359f564c8dc717dfca690

General

Target

174047408DE41770494EF4CFDC6B4B75.exe
Size

374KB
MD5

174047408de41770494ef4cfdc6b4b75
SHA1

be5d55981090e243d3fcf50195a4f8f52624d5c4
SHA256

f10e15ec0b0ed8ea201ac5f07b1bf547d3c592d3b1a359f564c8dc717dfca690
SHA512

45b818ce122388fca30146e1b788d30540da808adcd4881bae60026445896367ab6caeac6d082750703380e697a9dbaa1db9259660edfcdd2a518cb271a6ee58
SSDEEP

6144:yauvUJRc8Xk96UudPq/KvhvhNTbFCUFyw0eOz0wDmz6E6NgYnMfhlD16Xd9Cnx:yaOUJDUZu2wbueyxZM6z8hlD1H

Score

10^/10

redline 6894345723_99 infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

6894345723_99

C2

https://pastebin.com/raw/8baCJyMF

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1496-8-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Loads dropped DLL 1 IoCs

Processes:

174047408DE41770494EF4CFDC6B4B75.exe

pid process

216 174047408DE41770494EF4CFDC6B4B75.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 pastebin.com
8 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

174047408DE41770494EF4CFDC6B4B75.exe

description pid process target process

PID 216 set thread context of 1496 216 174047408DE41770494EF4CFDC6B4B75.exe MSBuild.exe

pid	process
216	174047408DE41770494EF4CFDC6B4B75.exe

flow	ioc
7	pastebin.com
8	pastebin.com

description	pid	process	target process
PID 216 set thread context of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

MSBuild.exe

pid	process
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe
1496	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1496 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1496	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

174047408DE41770494EF4CFDC6B4B75.exe

description	pid	process	target process
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe
PID 216 wrote to memory of 1496	216	174047408DE41770494EF4CFDC6B4B75.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\174047408DE41770494EF4CFDC6B4B75.exe
"C:\Users\Admin\AppData\Local\Temp\174047408DE41770494EF4CFDC6B4B75.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
212KB

MD5
c58881069f2dd1531a6c558b7acba22b

SHA1
cb66b4ac9ab3257b8eb3a0d5bfb06bde8764e5b4

SHA256
136f499084ef0f6a27828fc16584d06d9d27800a4963f23052ef190b164acc7d

SHA512
5587874b6ec2598cf61e668e947ac85d0261d75b99426f9e0d6ef6faaa813858f4cbec41215f95dca642b2f9ccad2d3665e9c53130921bebd4e3917df6e28b35

Download Submit
memory/216-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/216-1-0x0000000000CE0000-0x0000000000D44000-memory.dmp

Filesize
400KB

Download
memory/216-28-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/216-10-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-16-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-20-0x00000000075C0000-0x0000000007AEC000-memory.dmp

Filesize
5.2MB

Download
memory/1496-13-0x0000000006330000-0x0000000006948000-memory.dmp

Filesize
6.1MB

Download
memory/1496-14-0x0000000005D50000-0x0000000005D62000-memory.dmp

Filesize
72KB

Download
memory/1496-15-0x0000000005E80000-0x0000000005F8A000-memory.dmp

Filesize
1.0MB

Download
memory/1496-11-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-17-0x0000000006B50000-0x0000000006B8C000-memory.dmp

Filesize
240KB

Download
memory/1496-18-0x0000000006B90000-0x0000000006BDC000-memory.dmp

Filesize
304KB

Download
memory/1496-19-0x0000000006EC0000-0x0000000007082000-memory.dmp

Filesize
1.8MB

Download
memory/1496-12-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/1496-21-0x0000000007090000-0x0000000007122000-memory.dmp

Filesize
584KB

Download
memory/1496-22-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/1496-23-0x00000000071B0000-0x0000000007226000-memory.dmp

Filesize
472KB

Download
memory/1496-24-0x0000000007130000-0x000000000714E000-memory.dmp

Filesize
120KB

Download
memory/1496-25-0x0000000007280000-0x00000000072D0000-memory.dmp

Filesize
320KB

Download
memory/1496-27-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads