redline | 4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9

General

Target

4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe
Size

1.1MB
MD5

688ce25c0d970bd0cc5a02bbb16a4301
SHA1

4984205608a7585e8e78326e43cf2442a21c2147
SHA256

4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9
SHA512

1a3bae7376cae0edb17278ced19f8d7c3b5abadc140e01093e4ac5191f36d3992ff89c75e2ee189a36cd92aa0fd8e6b007abfb6727a0845c3b04bf87d74a1401
SSDEEP

12288:saoC1vsSdG7a+CKe3/hR5TlHLAy3IzblaDklxG5MyVHKYp70C8QmBBoZUq9EbJdl:sau7N2y0d+5KqP

Score

10^/10

redline 968071618 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

968071618

C2

https://t.me/+7Lir0e4Gw381MDhi

https://steamcommunity.com/profiles/76561199038841443

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/504-8-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Loads dropped DLL 1 IoCs

pid	Process
2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe
504	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	504	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73
PID 2772 wrote to memory of 504	2772	4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe	73

C:\Users\Admin\AppData\Local\Temp\4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe
"C:\Users\Admin\AppData\Local\Temp\4d381490846011bb6f4814a0238194047d2078c90ada48aae6b89afc2b939bb9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
332KB

MD5
d1bdcd9dc1d0d67b94f037813fd3d2fa

SHA1
5e96a8925f29f15e523d0a085ede3dc248a2869e

SHA256
8cf9fbeb1ecb2c375ff3d411fa25a21a4a6ffafad5076052c4b6951e02f27dfe

SHA512
1b7163d7f8c27ca559f86a179e550b0f3d105ef4e7318863c780128fa0b093679fa4129940b353244b9548807a710f5852aed86c0a8263d33dd584f941a29d43

Download Submit
memory/504-18-0x0000000006B40000-0x0000000006B7E000-memory.dmp

Filesize
248KB

Download
memory/504-14-0x00000000062F0000-0x00000000068F6000-memory.dmp

Filesize
6.0MB

Download
memory/504-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/504-21-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/504-19-0x0000000006C80000-0x0000000006CCB000-memory.dmp

Filesize
300KB

Download
memory/504-12-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/504-15-0x0000000005D60000-0x0000000005D72000-memory.dmp

Filesize
72KB

Download
memory/504-17-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/504-13-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/504-16-0x0000000005E90000-0x0000000005F9A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-1-0x0000000000EE0000-0x0000000001004000-memory.dmp

Filesize
1.1MB

Download
memory/2772-0-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/2772-11-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-20-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-10-0x0000000077BC1000-0x0000000077CD4000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing