redline | 6380b6aacedc8b0dd90421a7cd2d933d8e5f546497699fd03dd4ce3983d57248

General

Target

318655bc5bd250d8a0b65715330aa78f.exe
Size

296KB
MD5

318655bc5bd250d8a0b65715330aa78f
SHA1

008edde78a5ba7970025ffe34cc17296232e52d0
SHA256

6380b6aacedc8b0dd90421a7cd2d933d8e5f546497699fd03dd4ce3983d57248
SHA512

2761729e054a396895eb41bc5ea99e3d0dc24d00858f02fb83ea815005f8d427ca4473e67f1ed551d97692235e0c15e015323c3057f20296298c87382a9693db

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1080-6-0x0000000006AF0000-0x0000000006B19000-memory.dmp	family_redline
behavioral2/memory/1080-8-0x0000000009340000-0x0000000009367000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

318655bc5bd250d8a0b65715330aa78f.exe

pid process

1080 318655bc5bd250d8a0b65715330aa78f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

318655bc5bd250d8a0b65715330aa78f.exe

description pid process

Token: SeDebugPrivilege 1080 318655bc5bd250d8a0b65715330aa78f.exe

pid	process
1080	318655bc5bd250d8a0b65715330aa78f.exe

description	pid	process
Token: SeDebugPrivilege	1080	318655bc5bd250d8a0b65715330aa78f.exe

C:\Users\Admin\AppData\Local\Temp\318655bc5bd250d8a0b65715330aa78f.exe
"C:\Users\Admin\AppData\Local\Temp\318655bc5bd250d8a0b65715330aa78f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-2-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/1080-3-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/1080-4-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/1080-6-0x0000000006AF0000-0x0000000006B19000-memory.dmp

Filesize
164KB

Download
memory/1080-7-0x00000000093C0000-0x00000000093C1000-memory.dmp

Filesize
4KB

Download
memory/1080-8-0x0000000009340000-0x0000000009367000-memory.dmp

Filesize
156KB

Download
memory/1080-9-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/1080-10-0x0000000009F30000-0x0000000009F31000-memory.dmp

Filesize
4KB

Download
memory/1080-11-0x0000000009F50000-0x0000000009F51000-memory.dmp

Filesize
4KB

Download
memory/1080-12-0x0000000009FC0000-0x0000000009FC1000-memory.dmp

Filesize
4KB

Download
memory/1080-13-0x000000000A140000-0x000000000A141000-memory.dmp

Filesize
4KB

Download
memory/1080-14-0x000000000AE20000-0x000000000AE21000-memory.dmp

Filesize
4KB

Download
memory/1080-15-0x000000000AFF0000-0x000000000AFF1000-memory.dmp

Filesize
4KB

Download
memory/1080-16-0x000000000B620000-0x000000000B621000-memory.dmp

Filesize
4KB

Download
memory/1080-17-0x000000000B6E0000-0x000000000B6E1000-memory.dmp

Filesize
4KB

Download
memory/1080-18-0x000000000B770000-0x000000000B771000-memory.dmp

Filesize
4KB

Download
memory/1080-19-0x000000000C800000-0x000000000C801000-memory.dmp

Filesize
4KB

Download
memory/1080-20-0x000000000C880000-0x000000000C881000-memory.dmp

Filesize
4KB

Download
memory/1080-21-0x000000000CA20000-0x000000000CA21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing