redline | 4d788f0e1a3be7d6e706fcba03282ae62a0ab8df95014feb9f026bce5ddff089

General

Target

A75F.exe
Size

235KB
MD5

f350e12541835a5eee54cf0d5a5aa5f4
SHA1

68a33f9ceb9fce762638aea0349f5a8410968262
SHA256

4d788f0e1a3be7d6e706fcba03282ae62a0ab8df95014feb9f026bce5ddff089
SHA512

aa14ca6d6fac284330ede40c5998b33303da1556d83329e798a3e1ee7531920131816014b0550b98986aeef6f5ecfddb87092f9408dea28d314e7416711a7878

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/528-8-0x0000000000A70000-0x0000000000A9E000-memory.dmp	family_redline
behavioral2/memory/528-10-0x0000000002750000-0x000000000277C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

A75F.exe

pid process

528 A75F.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

A75F.exe

description pid process

Token: SeDebugPrivilege 528 A75F.exe

pid	process
528	A75F.exe

description	pid	process
Token: SeDebugPrivilege	528	A75F.exe

C:\Users\Admin\AppData\Local\Temp\A75F.exe
"C:\Users\Admin\AppData\Local\Temp\A75F.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/528-2-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/528-3-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/528-5-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/528-4-0x0000000000760000-0x0000000000797000-memory.dmp

Filesize
220KB

Download
memory/528-6-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/528-7-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/528-8-0x0000000000A70000-0x0000000000A9E000-memory.dmp

Filesize
184KB

Download
memory/528-9-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/528-10-0x0000000002750000-0x000000000277C000-memory.dmp

Filesize
176KB

Download
memory/528-12-0x0000000004D83000-0x0000000004D84000-memory.dmp

Filesize
4KB

Download
memory/528-11-0x0000000004D82000-0x0000000004D83000-memory.dmp

Filesize
4KB

Download
memory/528-13-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/528-14-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/528-15-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/528-16-0x0000000004D84000-0x0000000004D86000-memory.dmp

Filesize
8KB

Download
memory/528-17-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/528-18-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/528-19-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/528-20-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/528-21-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/528-22-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/528-23-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/528-24-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/528-25-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing