redline | 3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98.exe
Size

721.4MB
MD5

1eeea22e7fb6ac049baa0ef4bc304831
SHA1

47e6b0373f583826540da199ea776904d3a4d179
SHA256

3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98
SHA512

ad9a64bca8d1469e587b556ce3b986a78f73bc93c0ecc36049c79cb35429d525e6e9fe38e96d626e3d1544e4fa85523714018e06c635954bc85e14bdf3e3f88f
SSDEEP

3072:KZjod0nQkDcnycVJQiqCyCcwgkpKqiCY8+QlTyh:Uj/hUJSvqxl

Score

10^/10

redline 5527589964_99 discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

5527589964_99

https://pastebin.com/raw/tnW31tPp

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2400-2-0x0000000000020000-0x000000000003E000-memory.dmp	family_redline

Redline family
redline
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
261	pastebin.com
297	pastebin.com
61	pastebin.com
81	pastebin.com
98	pastebin.com
271	pastebin.com
273	pastebin.com
43	pastebin.com
136	pastebin.com
116	pastebin.com
155	pastebin.com
447	pastebin.com
167	pastebin.com
173	pastebin.com
296	pastebin.com
425	pastebin.com
182	pastebin.com
362	pastebin.com
423	pastebin.com
144	pastebin.com
216	pastebin.com
359	pastebin.com
389	pastebin.com
335	pastebin.com
443	pastebin.com
5	pastebin.com
60	pastebin.com
148	pastebin.com
214	pastebin.com
95	pastebin.com
361	pastebin.com
104	pastebin.com
66	pastebin.com
367	pastebin.com
375	pastebin.com
436	pastebin.com
210	pastebin.com
316	pastebin.com
414	pastebin.com
456	pastebin.com
13	pastebin.com
27	pastebin.com
325	pastebin.com
346	pastebin.com
85	pastebin.com
228	pastebin.com
337	pastebin.com
254	pastebin.com
53	pastebin.com
68	pastebin.com
138	pastebin.com
157	pastebin.com
149	pastebin.com
356	pastebin.com
266	pastebin.com
21	pastebin.com
108	pastebin.com
369	pastebin.com
374	pastebin.com
124	pastebin.com
194	pastebin.com
178	pastebin.com
38	pastebin.com
212	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	JaffaCakes118_3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3be046eecb8b4cbcf667ffcae447b5be3039638d1e41ccdad95795b185219f98.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-0-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2400-2-0x0000000000020000-0x000000000003E000-memory.dmp

Filesize
120KB

Download
memory/2400-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download