redline | eec9f565329a6a6e4129c775a212eda9a3e23001dff996345538de0ea1f6bdfc

General

Target

a2e3c0c01670119412c1beae95e37415.exe
Size

344KB
MD5

a2e3c0c01670119412c1beae95e37415
SHA1

913f416ad7fdb60faf9e40030fb33259457045d5
SHA256

eec9f565329a6a6e4129c775a212eda9a3e23001dff996345538de0ea1f6bdfc
SHA512

1da28b8646f8e803aac167720b28c25fd6a677caecdcf152bd228541533faf05556e0385e403ace85de4458d36afd4ab6236612a7d47ae8064d13e8c56e88209

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/672-5-0x00000000067F0000-0x0000000006819000-memory.dmp	family_redline
behavioral2/memory/672-7-0x00000000069C0000-0x00000000069E8000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a2e3c0c01670119412c1beae95e37415.exe

pid process

672 a2e3c0c01670119412c1beae95e37415.exe
672 a2e3c0c01670119412c1beae95e37415.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a2e3c0c01670119412c1beae95e37415.exe

description pid process

Token: SeDebugPrivilege 672 a2e3c0c01670119412c1beae95e37415.exe

pid	process
672	a2e3c0c01670119412c1beae95e37415.exe
672	a2e3c0c01670119412c1beae95e37415.exe

description	pid	process
Token: SeDebugPrivilege	672	a2e3c0c01670119412c1beae95e37415.exe

C:\Users\Admin\AppData\Local\Temp\a2e3c0c01670119412c1beae95e37415.exe
"C:\Users\Admin\AppData\Local\Temp\a2e3c0c01670119412c1beae95e37415.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/672-2-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/672-3-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/672-4-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/672-5-0x00000000067F0000-0x0000000006819000-memory.dmp

Filesize
164KB

Download
memory/672-6-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/672-7-0x00000000069C0000-0x00000000069E8000-memory.dmp

Filesize
160KB

Download
memory/672-8-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/672-9-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/672-10-0x0000000009AC0000-0x0000000009AC1000-memory.dmp

Filesize
4KB

Download
memory/672-11-0x0000000009B30000-0x0000000009B31000-memory.dmp

Filesize
4KB

Download
memory/672-12-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

Filesize
4KB

Download
memory/672-13-0x000000000A990000-0x000000000A991000-memory.dmp

Filesize
4KB

Download
memory/672-14-0x000000000AB60000-0x000000000AB61000-memory.dmp

Filesize
4KB

Download
memory/672-15-0x000000000B190000-0x000000000B191000-memory.dmp

Filesize
4KB

Download
memory/672-16-0x000000000B250000-0x000000000B251000-memory.dmp

Filesize
4KB

Download
memory/672-17-0x000000000B2E0000-0x000000000B2E1000-memory.dmp

Filesize
4KB

Download
memory/672-18-0x000000000B7B0000-0x000000000B7B1000-memory.dmp

Filesize
4KB

Download
memory/672-19-0x000000000C780000-0x000000000C781000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing