redline | 0937a738282fbc6ec10c9bdf9f94d76cfb4832fcfff549da33ff15df16de2cd9

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe
Size

2.4MB
MD5

b3998f79a78baef7cf93c7e26b07d16b
SHA1

45127505d72584c690418d81c7f2b24cb7ffe84d
SHA256

6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64
SHA512

9927feba765d7f17f16e5daccac7065801e241c4c6a1f1045e784e72d5ef5c71ca57d67ee6e24009b0af67b44d98248d0019d9b2f63332b4e77697b158afc282
SSDEEP

24576:eBP8ORYWYNzBqY/M9mo6ernms16sloTzR5SXggBMVmnL9RLr3Pl3RuQ55313V:eR8jMfloTF5SJMVmnL9Rnl3P

Score

10^/10

redline @jeamoff discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@jeamoff

5.182.36.101:31305

Attributes

auth_value
7c2fde5fc33439094a0b76dd7b33f7cd

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/134816-3-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/134816-10-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/134816-9-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32
PID 2024 wrote to memory of 134816	2024	6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe	32

C:\Users\Admin\AppData\Local\Temp\6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe
"C:\Users\Admin\AppData\Local\Temp\6cc44d98ce2fb628b25519eb2aa476b81c1dca23b4c11fb3f26951bba8e68d64.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:134816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-0-0x00000000004CB000-0x00000000004CD000-memory.dmp

Filesize
8KB

Download
memory/2024-11-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/134816-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/134816-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/134816-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/134816-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/134816-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/134816-12-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/134816-13-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download