redline | e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934

General

Target

e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe
Size

284KB
MD5

fa1c1fcc619721d1893c63202d50f8ba
SHA1

767dc9467114561897c2bbf64f5ed277bc29ae10
SHA256

e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934
SHA512

9b46194bb04d094bed5ace8e46145877d4ddad85297861bc2a41e5a8ee094eb410641f8f3238e7bdd6d6289ab3dfbb4a542806579b1ac4f8630bcf9861c2f5bb
SSDEEP

6144:wxUXj6jSRtoAHuIk5+XihRBD/u59nOik6midiUgxL:wxvjeH5k5yqPqTOb63iUgxL

Score

10^/10

redline discovery infostealer spyware

Malware Config

Extracted

Family

redline

C2

185.196.9.26:6302

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/660-11-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Loads dropped DLL 1 IoCs

pid	Process
1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
660	MSBuild.exe
660	MSBuild.exe
660	MSBuild.exe
660	MSBuild.exe
660	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83
PID 1848 wrote to memory of 660	1848	e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe	83

C:\Users\Admin\AppData\Local\Temp\e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe
"C:\Users\Admin\AppData\Local\Temp\e35d3e27246802dedb9608a7a8bacf385282e66601b8a80ce3c703a5c234f934.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
500KB

MD5
9973e5b3f078c8e7b5050d5724d10502

SHA1
37cae6d4c71cd8594ec163f5ffae108782dabe9e

SHA256
ab350489dd9c8589fba8d19ea2ba6026bfff3cf52ba23e752636f3ba9862553d

SHA512
0e4129cc3364679b651027e5c715f9fd7dc1bb55efb2f4103f2f5309847a9d0d2931aebfba4770f0a73a24b8d7931b7e7c6cdbb1e11d6776276b02ac5c10ad72

Download Submit
memory/660-18-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/660-23-0x0000000005A70000-0x0000000005ABC000-memory.dmp

Filesize
304KB

Download
memory/660-17-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/660-29-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/660-27-0x00000000079D0000-0x0000000007EFC000-memory.dmp

Filesize
5.2MB

Download
memory/660-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/660-26-0x00000000072D0000-0x0000000007492000-memory.dmp

Filesize
1.8MB

Download
memory/660-14-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/660-15-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/660-16-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/660-31-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/660-28-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/660-21-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/660-20-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/660-19-0x0000000006790000-0x0000000006DA8000-memory.dmp

Filesize
6.1MB

Download
memory/660-22-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/660-25-0x0000000006FB0000-0x0000000007000000-memory.dmp

Filesize
320KB

Download
memory/660-24-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/1848-2-0x00000000010F0000-0x00000000010F6000-memory.dmp

Filesize
24KB

Download
memory/1848-13-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1848-10-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1848-0-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/1848-1-0x0000000000950000-0x00000000009A0000-memory.dmp

Filesize
320KB

Download
memory/1848-3-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing