redline | 993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645

General

Target

JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe
Size

820.2MB
MD5

11ba9acca050c939b7ce6249b11cf5be
SHA1

d4d9f78adcabc783b9ec6a60a54ae05796255582
SHA256

993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645
SHA512

104677b1ce5ab224a4de053a6e15b5593fd86f2e098a9e72ba06d8be583b619d079861e5252774239188db1a5d4ce2a00a52a484966dc7b6eac7bdec53a125f9
SSDEEP

196608:wDdSapsb2FYXSRUTuNAPqZcrG1IniBEj+9wf6JM7w:wp

Score

10^/10

redline @ken0zz discovery infostealer

Malware Config

Extracted

Family

redline

Botnet

@Ken0zz

C2

176.113.115.24:37118

Attributes

auth_value
68c1f253de2c438189ebe30588f5cf60

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2028-5-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Redline family
redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83
PID 1924 wrote to memory of 2028	1924	JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe	83

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JaffaCakes118_993a7a8d6dc703d3d1fe8c2c65dfb79a510423c203e32d22ff2ac3cd10822645.exe.log

Filesize
617B

MD5
806dff23883c0aa6dcb04133b1380075

SHA1
ab9c711b18ac9edbd41966b3495f837746dbc146

SHA256
b58a668ac53e656011a581a7c1ce3d763b8120487f3017a5881298a588a34e17

SHA512
42ff1897d652e4bf0467e402a9386501810db93d1e18824bb61ec231d50ae9dabed04043cd60996cd508fd3e495825bb02acb5d7619e20773f9bdc5c453017b6

Download Submit
memory/1924-3-0x0000000006170000-0x000000000618C000-memory.dmp

Filesize
112KB

Download
memory/1924-1-0x00000000007D0000-0x000000000162E000-memory.dmp

Filesize
14.4MB

Download
memory/1924-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/1924-4-0x0000000006290000-0x000000000632C000-memory.dmp

Filesize
624KB

Download
memory/1924-2-0x0000000006740000-0x0000000006CE4000-memory.dmp

Filesize
5.6MB

Download
memory/2028-9-0x0000000006820000-0x0000000006E38000-memory.dmp

Filesize
6.1MB

Download
memory/2028-8-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2028-5-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2028-10-0x0000000006310000-0x000000000641A000-memory.dmp

Filesize
1.0MB

Download
memory/2028-11-0x0000000003E50000-0x0000000003E62000-memory.dmp

Filesize
72KB

Download
memory/2028-12-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2028-13-0x0000000006200000-0x000000000623C000-memory.dmp

Filesize
240KB

Download
memory/2028-14-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/2028-15-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing