redline | 3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a

Analysis

max time kernel
129s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe
Size

61KB
MD5

4fdb0cd943aeaff2fd30dc6ca6fd316a
SHA1

7a1fada1fc7b03f16c101016e02e3bdc72d907c2
SHA256

3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a
SHA512

0807faca2ea3b49c9334bf85c10fa11485cd6de91997a78615b16c9fe8aab58b153160e607f18e64daf864a7425a61cc9c7fb5c6f319a51885329c269e907dec
SSDEEP

1536:qY//xqZdFOiPPlFNfypFRX7WsF0MtJjPLy:qoxw1PFqL3PjPLy

Score

10^/10

redline test discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

test

50.116.53.64:3214

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000018334-7.dat	family_redline
behavioral1/memory/2144-11-0x0000000000C50000-0x0000000000C76000-memory.dmp	family_redline

Executes dropped EXE 1 IoCs

pid	Process
2144	Aywk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aywk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	Aywk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2144	392	3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe	29
PID 392 wrote to memory of 2144	392	3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe	29
PID 392 wrote to memory of 2144	392	3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe	29
PID 392 wrote to memory of 2144	392	3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe	29

C:\Users\Admin\AppData\Local\Temp\3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe
"C:\Users\Admin\AppData\Local\Temp\3168addd4309d56c314d003634a3f186276d86eaf27da0cfb08512fe95dbb13a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\Aywk.exe
  "C:\Users\Admin\AppData\Local\Temp\Aywk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aywk.exe

Filesize
125KB

MD5
9f7849a7d0c161cf5ebf80516191aa54

SHA1
4fd556963e83045032cdfe980b57d4c3ca173284

SHA256
000b87cf350178912a2c6a1b66f862cf560224fd63d8e9c385bfd65c67d37c63

SHA512
23bae48d41291cb37abc227c9fa06d1fde8a04d131aa673fe07980f06e3ea46d371080cca91149ce82e68ed1364ec1f10a6c333b874061f799137890b6951c77

Download Submit
memory/392-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/392-1-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/392-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/392-9-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-10-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2144-11-0x0000000000C50000-0x0000000000C76000-memory.dmp

Filesize
152KB

Download
memory/2144-12-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-13-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x00000000744A0000-0x0000000074B8E000-memory.dmp

Filesize
6.9MB

Download