redline | f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af

General

Target

49P3sz7hwaBCw38mzH6t.exe
Size

404KB
MD5

4e6bb58eee8e114103551fbb7441fa78
SHA1

e4ff0b96d9abadfa27ad215a1251661c827e1dbf
SHA256

f0d8b6a1f4419032cb6d9fa80ac8c9273e14d3a1742aabd5d3b585aeb758d8af
SHA512

5ffaa07e1aeeb239d3e7b2ffe7f35df2565284ff376ddaa2ca37f5779c39e13931df5f9e16251049592f6ab0b3e58ecafe5fed02f5ad10d36d57f222f8beb6d5

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-5-0x0000000004360000-0x000000000438C000-memory.dmp	family_redline
behavioral2/memory/4716-7-0x0000000004560000-0x000000000458A000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

49P3sz7hwaBCw38mzH6t.exe

pid process

4716 49P3sz7hwaBCw38mzH6t.exe
4716 49P3sz7hwaBCw38mzH6t.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

49P3sz7hwaBCw38mzH6t.exe

description pid process

Token: SeDebugPrivilege 4716 49P3sz7hwaBCw38mzH6t.exe

pid	process
4716	49P3sz7hwaBCw38mzH6t.exe
4716	49P3sz7hwaBCw38mzH6t.exe

description	pid	process
Token: SeDebugPrivilege	4716	49P3sz7hwaBCw38mzH6t.exe

C:\Users\Admin\AppData\Local\Temp\49P3sz7hwaBCw38mzH6t.exe
"C:\Users\Admin\AppData\Local\Temp\49P3sz7hwaBCw38mzH6t.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4716-2-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/4716-3-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/4716-4-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/4716-5-0x0000000004360000-0x000000000438C000-memory.dmp

Filesize
176KB

Download
memory/4716-6-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/4716-7-0x0000000004560000-0x000000000458A000-memory.dmp

Filesize
168KB

Download
memory/4716-8-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/4716-9-0x0000000004050000-0x0000000004086000-memory.dmp

Filesize
216KB

Download
memory/4716-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4716-11-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/4716-12-0x0000000006BC2000-0x0000000006BC3000-memory.dmp

Filesize
4KB

Download
memory/4716-14-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/4716-15-0x0000000006BC3000-0x0000000006BC4000-memory.dmp

Filesize
4KB

Download
memory/4716-13-0x0000000006BC4000-0x0000000006BC6000-memory.dmp

Filesize
8KB

Download
memory/4716-16-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/4716-17-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/4716-18-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/4716-19-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/4716-20-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/4716-21-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/4716-22-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/4716-23-0x0000000008DC0000-0x0000000008DC1000-memory.dmp

Filesize
4KB

Download
memory/4716-24-0x0000000008E70000-0x0000000008E71000-memory.dmp

Filesize
4KB

Download
memory/4716-25-0x000000000A220000-0x000000000A221000-memory.dmp

Filesize
4KB

Download
memory/4716-26-0x000000000A2B0000-0x000000000A2B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing