redline | c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda

General

Target

addc4da6b84c4cdef13423e06dcd1492.exe
Size

319KB
MD5

addc4da6b84c4cdef13423e06dcd1492
SHA1

45c14d4cc9a6b4133ef991423107186049e8ff2b
SHA256

c69abca6861cab059b6ae9f8745b25359ab757af64c6388efd386d04f87bafda
SHA512

2b00e23490d3fd8625e7ccb9a0f5f7a115132d5fbe0ac9e79edbf49729b92b9f2851b35d36b4b344b6ec91bd1c2f424c92282e142ad2d2ad6dd6490d50cb0ad4

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3372-5-0x0000000006790000-0x00000000067B9000-memory.dmp	family_redline
behavioral2/memory/3372-7-0x0000000006820000-0x0000000006847000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

addc4da6b84c4cdef13423e06dcd1492.exe

pid process

3372 addc4da6b84c4cdef13423e06dcd1492.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

addc4da6b84c4cdef13423e06dcd1492.exe

description pid process

Token: SeDebugPrivilege 3372 addc4da6b84c4cdef13423e06dcd1492.exe

pid	process
3372	addc4da6b84c4cdef13423e06dcd1492.exe

description	pid	process
Token: SeDebugPrivilege	3372	addc4da6b84c4cdef13423e06dcd1492.exe

C:\Users\Admin\AppData\Local\Temp\addc4da6b84c4cdef13423e06dcd1492.exe
"C:\Users\Admin\AppData\Local\Temp\addc4da6b84c4cdef13423e06dcd1492.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3372-2-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3372-3-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/3372-4-0x0000000073810000-0x0000000073EFE000-memory.dmp

Filesize
6.9MB

Download
memory/3372-5-0x0000000006790000-0x00000000067B9000-memory.dmp

Filesize
164KB

Download
memory/3372-6-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/3372-7-0x0000000006820000-0x0000000006847000-memory.dmp

Filesize
156KB

Download
memory/3372-8-0x0000000009480000-0x0000000009481000-memory.dmp

Filesize
4KB

Download
memory/3372-9-0x0000000009A90000-0x0000000009A91000-memory.dmp

Filesize
4KB

Download
memory/3372-10-0x0000000009AB0000-0x0000000009AB1000-memory.dmp

Filesize
4KB

Download
memory/3372-11-0x0000000009B10000-0x0000000009B11000-memory.dmp

Filesize
4KB

Download
memory/3372-12-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/3372-13-0x000000000A970000-0x000000000A971000-memory.dmp

Filesize
4KB

Download
memory/3372-14-0x000000000AB40000-0x000000000AB41000-memory.dmp

Filesize
4KB

Download
memory/3372-15-0x000000000B170000-0x000000000B171000-memory.dmp

Filesize
4KB

Download
memory/3372-16-0x000000000B230000-0x000000000B231000-memory.dmp

Filesize
4KB

Download
memory/3372-17-0x000000000B2C0000-0x000000000B2C1000-memory.dmp

Filesize
4KB

Download
memory/3372-18-0x000000000C350000-0x000000000C351000-memory.dmp

Filesize
4KB

Download
memory/3372-19-0x000000000C3D0000-0x000000000C3D1000-memory.dmp

Filesize
4KB

Download
memory/3372-20-0x000000000C770000-0x000000000C771000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing