redline | b254d9ed08f3a7398fa49ea2b511ba5591c581c6843518048a60569d949dea9c

Analysis

max time kernel
119s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf3a490991a8c8bf088d3e96258c0a0N.exe
Size

968KB
MD5

9cf3a490991a8c8bf088d3e96258c0a0
SHA1

0579860ae04ccfe20c59f86c99e060c9114179b3
SHA256

b254d9ed08f3a7398fa49ea2b511ba5591c581c6843518048a60569d949dea9c
SHA512

e22e83bab96280aed6b329a4476ed5d24536a1f3eb662583bf32509868bb9523a4309e58a4f73528305285e7d8d1d5a566cd9207b167c1291f4dc3de1a978694
SSDEEP

12288:JXCeCOfdk+VhmheZCVtqO9bES8zOFHKPJi4/ubnYLlJ6Gug2tV3:PCMdk+VhpZCVtqxGKPJ3Lz45J

Score

10^/10

redline 5195552529 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5195552529

https://pastebin.com/raw/NgsUAPya

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2576-1-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
128	pastebin.com
453	pastebin.com
41	pastebin.com
324	pastebin.com
381	pastebin.com
371	pastebin.com
146	pastebin.com
167	pastebin.com
400	pastebin.com
480	pastebin.com
49	pastebin.com
115	pastebin.com
350	pastebin.com
379	pastebin.com
323	pastebin.com
349	pastebin.com
7	pastebin.com
208	pastebin.com
233	pastebin.com
284	pastebin.com
72	pastebin.com
213	pastebin.com
147	pastebin.com
353	pastebin.com
387	pastebin.com
408	pastebin.com
474	pastebin.com
144	pastebin.com
253	pastebin.com
32	pastebin.com
107	pastebin.com
118	pastebin.com
333	pastebin.com
58	pastebin.com
152	pastebin.com
315	pastebin.com
330	pastebin.com
153	pastebin.com
475	pastebin.com
250	pastebin.com
304	pastebin.com
316	pastebin.com
376	pastebin.com
179	pastebin.com
33	pastebin.com
108	pastebin.com
230	pastebin.com
426	pastebin.com
66	pastebin.com
105	pastebin.com
162	pastebin.com
180	pastebin.com
190	pastebin.com
326	pastebin.com
358	pastebin.com
156	pastebin.com
163	pastebin.com
178	pastebin.com
259	pastebin.com
272	pastebin.com
59	pastebin.com
75	pastebin.com
204	pastebin.com
83	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cf3a490991a8c8bf088d3e96258c0a0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2576	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2792	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	87
PID 1672 wrote to memory of 2792	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	87
PID 1672 wrote to memory of 2792	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	87
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88
PID 1672 wrote to memory of 2576	1672	9cf3a490991a8c8bf088d3e96258c0a0N.exe	88

C:\Users\Admin\AppData\Local\Temp\9cf3a490991a8c8bf088d3e96258c0a0N.exe
"C:\Users\Admin\AppData\Local\Temp\9cf3a490991a8c8bf088d3e96258c0a0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-0-0x0000000000712000-0x0000000000713000-memory.dmp

Filesize
4KB

Download
memory/2576-1-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2576-2-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2576-3-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/2576-4-0x00000000060B0000-0x00000000066C8000-memory.dmp

Filesize
6.1MB

Download
memory/2576-5-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/2576-6-0x0000000005C30000-0x0000000005D3A000-memory.dmp

Filesize
1.0MB

Download
memory/2576-7-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2576-8-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2576-9-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download