redline | c434d4da9f9111e836666c93d246f062baa801b1fd098ab670c537353483bad0

General

Target

1019a49684d1fe54d86907d16d1bd90b.exe
Size

387KB
MD5

1019a49684d1fe54d86907d16d1bd90b
SHA1

9a5089606f1c0eb094635de11f9567228d78e21f
SHA256

c434d4da9f9111e836666c93d246f062baa801b1fd098ab670c537353483bad0
SHA512

5832b8e7cdc4d677ceba57e771ed117ab191b3c7f6967cf90c5ab3a06cb1b7d647630c49df6bf43a25e06ea6b09329b46fbdd4b7fcca6507b72e7b0d35d3b990

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1092-7-0x0000000002220000-0x000000000224E000-memory.dmp	family_redline
behavioral2/memory/1092-9-0x0000000004A20000-0x0000000004A4C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1019a49684d1fe54d86907d16d1bd90b.exe

pid process

1092 1019a49684d1fe54d86907d16d1bd90b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1019a49684d1fe54d86907d16d1bd90b.exe

description pid process

Token: SeDebugPrivilege 1092 1019a49684d1fe54d86907d16d1bd90b.exe

pid	process
1092	1019a49684d1fe54d86907d16d1bd90b.exe

description	pid	process
Token: SeDebugPrivilege	1092	1019a49684d1fe54d86907d16d1bd90b.exe

C:\Users\Admin\AppData\Local\Temp\1019a49684d1fe54d86907d16d1bd90b.exe
"C:\Users\Admin\AppData\Local\Temp\1019a49684d1fe54d86907d16d1bd90b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-2-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1092-3-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1092-4-0x0000000073D00000-0x00000000743EE000-memory.dmp

Filesize
6.9MB

Download
memory/1092-5-0x00000000020F0000-0x0000000002127000-memory.dmp

Filesize
220KB

Download
memory/1092-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1092-7-0x0000000002220000-0x000000000224E000-memory.dmp

Filesize
184KB

Download
memory/1092-8-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1092-9-0x0000000004A20000-0x0000000004A4C000-memory.dmp

Filesize
176KB

Download
memory/1092-10-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1092-11-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1092-12-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1092-14-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/1092-13-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1092-15-0x0000000004C03000-0x0000000004C04000-memory.dmp

Filesize
4KB

Download
memory/1092-16-0x0000000004C04000-0x0000000004C06000-memory.dmp

Filesize
8KB

Download
memory/1092-17-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/1092-18-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/1092-19-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1092-20-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1092-21-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/1092-22-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/1092-23-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/1092-24-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/1092-25-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/1092-26-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing