redline | d5a592a952140b52fde783c6281f82986a3aee2f05de63fe7b6ff2d76db11670

General

Target

85976e531510c3f092d3a7e8ca5d04fd.exe
Size

324KB
MD5

85976e531510c3f092d3a7e8ca5d04fd
SHA1

f58570d7373d487c7d3e01d4de09ab456408a046
SHA256

d5a592a952140b52fde783c6281f82986a3aee2f05de63fe7b6ff2d76db11670
SHA512

096b15da27c008c7889ed897f8331db4e9fc80b281172b4e7ba601585988b8f279af88db2cbe4327eea1d4938324c3890d2a2dae24bef8429a1f85d173c3ea09

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-7-0x0000000006580000-0x00000000065A9000-memory.dmp	family_redline
behavioral2/memory/3888-9-0x0000000008CA0000-0x0000000008CC8000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

85976e531510c3f092d3a7e8ca5d04fd.exe

pid process

3888 85976e531510c3f092d3a7e8ca5d04fd.exe
3888 85976e531510c3f092d3a7e8ca5d04fd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

85976e531510c3f092d3a7e8ca5d04fd.exe

description pid process

Token: SeDebugPrivilege 3888 85976e531510c3f092d3a7e8ca5d04fd.exe

pid	process
3888	85976e531510c3f092d3a7e8ca5d04fd.exe
3888	85976e531510c3f092d3a7e8ca5d04fd.exe

description	pid	process
Token: SeDebugPrivilege	3888	85976e531510c3f092d3a7e8ca5d04fd.exe

C:\Users\Admin\AppData\Local\Temp\85976e531510c3f092d3a7e8ca5d04fd.exe
"C:\Users\Admin\AppData\Local\Temp\85976e531510c3f092d3a7e8ca5d04fd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-2-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/3888-4-0x00000000738F0000-0x0000000073FDE000-memory.dmp

Filesize
6.9MB

Download
memory/3888-5-0x0000000004700000-0x0000000004735000-memory.dmp

Filesize
212KB

Download
memory/3888-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3888-7-0x0000000006580000-0x00000000065A9000-memory.dmp

Filesize
164KB

Download
memory/3888-8-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x0000000008CA0000-0x0000000008CC8000-memory.dmp

Filesize
160KB

Download
memory/3888-10-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/3888-11-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/3888-12-0x00000000098B0000-0x00000000098B1000-memory.dmp

Filesize
4KB

Download
memory/3888-13-0x0000000008D10000-0x0000000008D11000-memory.dmp

Filesize
4KB

Download
memory/3888-14-0x0000000008D12000-0x0000000008D13000-memory.dmp

Filesize
4KB

Download
memory/3888-15-0x0000000008D13000-0x0000000008D14000-memory.dmp

Filesize
4KB

Download
memory/3888-16-0x0000000009920000-0x0000000009921000-memory.dmp

Filesize
4KB

Download
memory/3888-17-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/3888-18-0x0000000008D14000-0x0000000008D16000-memory.dmp

Filesize
8KB

Download
memory/3888-19-0x000000000A780000-0x000000000A781000-memory.dmp

Filesize
4KB

Download
memory/3888-20-0x000000000A950000-0x000000000A951000-memory.dmp

Filesize
4KB

Download
memory/3888-21-0x000000000AF80000-0x000000000AF81000-memory.dmp

Filesize
4KB

Download
memory/3888-22-0x000000000B040000-0x000000000B041000-memory.dmp

Filesize
4KB

Download
memory/3888-23-0x000000000B0D0000-0x000000000B0D1000-memory.dmp

Filesize
4KB

Download
memory/3888-24-0x000000000C160000-0x000000000C161000-memory.dmp

Filesize
4KB

Download
memory/3888-25-0x000000000C1F0000-0x000000000C1F1000-memory.dmp

Filesize
4KB

Download
memory/3888-26-0x000000000C590000-0x000000000C591000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing