redline | c4b04c108c2308b1bb0558cf3de4fc2b1357a8c112d7bc38c228874000b8a4bd

General

Target

4e622ee626caec7497e89442eeae4083.exe
Size

235KB
MD5

4e622ee626caec7497e89442eeae4083
SHA1

39958ce2a0e9c43506a3b796ae7dd94e5317e430
SHA256

c4b04c108c2308b1bb0558cf3de4fc2b1357a8c112d7bc38c228874000b8a4bd
SHA512

0fbc24f6a3daef01e35dd63b3539b586f483aec8a79e02d8e17001869f73fcd6328787b241549a0ed40c6338b3fff35e6d6af4987699b114bfe59017f485fd88

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/828-7-0x00000000075F0000-0x000000000761C000-memory.dmp	family_redline
behavioral2/memory/828-12-0x0000000007660000-0x000000000768A000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4e622ee626caec7497e89442eeae4083.exe

pid process

828 4e622ee626caec7497e89442eeae4083.exe
828 4e622ee626caec7497e89442eeae4083.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4e622ee626caec7497e89442eeae4083.exe

description pid process

Token: SeDebugPrivilege 828 4e622ee626caec7497e89442eeae4083.exe

pid	process
828	4e622ee626caec7497e89442eeae4083.exe
828	4e622ee626caec7497e89442eeae4083.exe

description	pid	process
Token: SeDebugPrivilege	828	4e622ee626caec7497e89442eeae4083.exe

C:\Users\Admin\AppData\Local\Temp\4e622ee626caec7497e89442eeae4083.exe
"C:\Users\Admin\AppData\Local\Temp\4e622ee626caec7497e89442eeae4083.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-2-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/828-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/828-3-0x00000000030F0000-0x0000000003126000-memory.dmp

Filesize
216KB

Download
memory/828-5-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/828-6-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/828-7-0x00000000075F0000-0x000000000761C000-memory.dmp

Filesize
176KB

Download
memory/828-8-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/828-10-0x0000000007742000-0x0000000007743000-memory.dmp

Filesize
4KB

Download
memory/828-9-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/828-11-0x0000000007743000-0x0000000007744000-memory.dmp

Filesize
4KB

Download
memory/828-12-0x0000000007660000-0x000000000768A000-memory.dmp

Filesize
168KB

Download
memory/828-13-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/828-14-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/828-15-0x0000000007744000-0x0000000007746000-memory.dmp

Filesize
8KB

Download
memory/828-16-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/828-17-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/828-18-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/828-19-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/828-20-0x0000000008680000-0x0000000008681000-memory.dmp

Filesize
4KB

Download
memory/828-21-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/828-22-0x0000000009430000-0x0000000009431000-memory.dmp

Filesize
4KB

Download
memory/828-23-0x0000000009A70000-0x0000000009A71000-memory.dmp

Filesize
4KB

Download
memory/828-24-0x0000000009B20000-0x0000000009B21000-memory.dmp

Filesize
4KB

Download
memory/828-25-0x000000000A350000-0x000000000A351000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing