redline | cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259

General

Target

482caddfddfe63e8a5803a99b8da7be5.exe
Size

287KB
MD5

482caddfddfe63e8a5803a99b8da7be5
SHA1

6c1f308011f4c939c9b86a7bc84d9e2a28ee3c5e
SHA256

cfbb03f5736821b65dd01bdb4187911a278faa8c07fd29e402a24ea58c414259
SHA512

316cf106097a7b3f4c907e4f3fb1338b76a325afa2c9d74bbe5c4aa21fd6eae114e5a1b13c4f85c9363950b560a7df71b132fdd1c9f642a7a959ed63d7d2f688

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1316-5-0x0000000006B50000-0x0000000006B79000-memory.dmp	family_redline
behavioral2/memory/1316-7-0x0000000006DC0000-0x0000000006DE7000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

482caddfddfe63e8a5803a99b8da7be5.exe

pid process

1316 482caddfddfe63e8a5803a99b8da7be5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

482caddfddfe63e8a5803a99b8da7be5.exe

description pid process

Token: SeDebugPrivilege 1316 482caddfddfe63e8a5803a99b8da7be5.exe

pid	process
1316	482caddfddfe63e8a5803a99b8da7be5.exe

description	pid	process
Token: SeDebugPrivilege	1316	482caddfddfe63e8a5803a99b8da7be5.exe

C:\Users\Admin\AppData\Local\Temp\482caddfddfe63e8a5803a99b8da7be5.exe
"C:\Users\Admin\AppData\Local\Temp\482caddfddfe63e8a5803a99b8da7be5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-2-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1316-3-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/1316-4-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/1316-5-0x0000000006B50000-0x0000000006B79000-memory.dmp

Filesize
164KB

Download
memory/1316-6-0x00000000092B0000-0x00000000092B1000-memory.dmp

Filesize
4KB

Download
memory/1316-7-0x0000000006DC0000-0x0000000006DE7000-memory.dmp

Filesize
156KB

Download
memory/1316-8-0x00000000097B0000-0x00000000097B1000-memory.dmp

Filesize
4KB

Download
memory/1316-9-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/1316-10-0x0000000009E00000-0x0000000009E01000-memory.dmp

Filesize
4KB

Download
memory/1316-11-0x0000000009E70000-0x0000000009E71000-memory.dmp

Filesize
4KB

Download
memory/1316-12-0x0000000009FF0000-0x0000000009FF1000-memory.dmp

Filesize
4KB

Download
memory/1316-13-0x000000000ACD0000-0x000000000ACD1000-memory.dmp

Filesize
4KB

Download
memory/1316-14-0x000000000AEA0000-0x000000000AEA1000-memory.dmp

Filesize
4KB

Download
memory/1316-15-0x000000000B4D0000-0x000000000B4D1000-memory.dmp

Filesize
4KB

Download
memory/1316-16-0x000000000B590000-0x000000000B591000-memory.dmp

Filesize
4KB

Download
memory/1316-17-0x000000000B620000-0x000000000B621000-memory.dmp

Filesize
4KB

Download
memory/1316-18-0x000000000BAF0000-0x000000000BAF1000-memory.dmp

Filesize
4KB

Download
memory/1316-19-0x000000000C340000-0x000000000C341000-memory.dmp

Filesize
4KB

Download
memory/1316-20-0x000000000C3D0000-0x000000000C3D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing