redline | 5550b1e0d878ef2c7296596d9a7a44d380b48c77121d8cf4f04289ac7ab9a1e6

Analysis

Target

c42c574acc963c0041700758094ab7fb.exe
Size

343KB
MD5

c42c574acc963c0041700758094ab7fb
SHA1

5c3ff1be7da451976438f6f8c1fd1aadd8823093
SHA256

5550b1e0d878ef2c7296596d9a7a44d380b48c77121d8cf4f04289ac7ab9a1e6
SHA512

f2583334c76a21edac1f8b36bb3d72166d3b9fc0ba9da42c31b70facac666a5357cf20974854973fa6721d8754cdd28e77eb3a5d41ee73160fc8c223a433ca41

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1096-6-0x0000000004650000-0x0000000004679000-memory.dmp	family_redline
behavioral1/memory/1096-7-0x00000000062C0000-0x00000000062E7000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c42c574acc963c0041700758094ab7fb.exe

pid process

1096 c42c574acc963c0041700758094ab7fb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c42c574acc963c0041700758094ab7fb.exe

description pid process

Token: SeDebugPrivilege 1096 c42c574acc963c0041700758094ab7fb.exe

pid	process
1096	c42c574acc963c0041700758094ab7fb.exe

description	pid	process
Token: SeDebugPrivilege	1096	c42c574acc963c0041700758094ab7fb.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1096-2-0x00000000046EE000-0x00000000046EF000-memory.dmp

Filesize
4KB

Download
memory/1096-3-0x0000000005EF0000-0x0000000005F01000-memory.dmp

Filesize
68KB

Download
memory/1096-4-0x0000000006030000-0x0000000006041000-memory.dmp

Filesize
68KB

Download
memory/1096-5-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1096-6-0x0000000004650000-0x0000000004679000-memory.dmp

Filesize
164KB

Download
memory/1096-7-0x00000000062C0000-0x00000000062E7000-memory.dmp

Filesize
156KB

Download