redline | f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48

General

Target

0bb400582081d479bbf36c374b1b384a.exe
Size

338KB
MD5

0bb400582081d479bbf36c374b1b384a
SHA1

9a55d9786f73e1c4a81de9c965527717d169a29d
SHA256

f4c347b4a344291c7e62fc77734b3e403358723874f7460ea4e2a6f2c3659b48
SHA512

54c2035aa64df182c020b8e283ab6cd50988d4686c0889abee28ca03235d98bc2875151b7550d0c978839046d7841825dafb38509891a17beb7a733512d90508

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1232-8-0x0000000004240000-0x000000000426C000-memory.dmp	family_redline
behavioral2/memory/1232-10-0x0000000004490000-0x00000000044BA000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0bb400582081d479bbf36c374b1b384a.exe

pid process

1232 0bb400582081d479bbf36c374b1b384a.exe
1232 0bb400582081d479bbf36c374b1b384a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0bb400582081d479bbf36c374b1b384a.exe

description pid process

Token: SeDebugPrivilege 1232 0bb400582081d479bbf36c374b1b384a.exe

pid	process
1232	0bb400582081d479bbf36c374b1b384a.exe
1232	0bb400582081d479bbf36c374b1b384a.exe

description	pid	process
Token: SeDebugPrivilege	1232	0bb400582081d479bbf36c374b1b384a.exe

C:\Users\Admin\AppData\Local\Temp\0bb400582081d479bbf36c374b1b384a.exe
"C:\Users\Admin\AppData\Local\Temp\0bb400582081d479bbf36c374b1b384a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-2-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/1232-3-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/1232-4-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1232-5-0x0000000003E60000-0x0000000003E96000-memory.dmp

Filesize
216KB

Download
memory/1232-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-7-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/1232-8-0x0000000004240000-0x000000000426C000-memory.dmp

Filesize
176KB

Download
memory/1232-9-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/1232-10-0x0000000004490000-0x00000000044BA000-memory.dmp

Filesize
168KB

Download
memory/1232-11-0x0000000006910000-0x0000000006911000-memory.dmp

Filesize
4KB

Download
memory/1232-12-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/1232-14-0x0000000006A02000-0x0000000006A03000-memory.dmp

Filesize
4KB

Download
memory/1232-13-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/1232-15-0x0000000006A03000-0x0000000006A04000-memory.dmp

Filesize
4KB

Download
memory/1232-16-0x0000000006A04000-0x0000000006A06000-memory.dmp

Filesize
8KB

Download
memory/1232-17-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/1232-18-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/1232-19-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/1232-20-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/1232-21-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/1232-22-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/1232-23-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/1232-24-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/1232-25-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/1232-26-0x000000000A160000-0x000000000A161000-memory.dmp

Filesize
4KB

Download
memory/1232-27-0x000000000A1F0000-0x000000000A1F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing