redline | 687459064daabf67f8b61dc974e0b531f07aeda1f2084ae5ae6f2e1ab85a453c

Analysis

Target

2af4d5610934c0f627fcf69e79b61195.exe
Size

245KB
MD5

2af4d5610934c0f627fcf69e79b61195
SHA1

90656cc326f3105afea7d8e0a91b2e3e7e701c9e
SHA256

687459064daabf67f8b61dc974e0b531f07aeda1f2084ae5ae6f2e1ab85a453c
SHA512

8bf0d0a3e80753c03f346d79c7b630e1d54bc12a45762bfe255aebea300276d5f4ca1ad3cf3302b54ea91919dcf35e9ace0c9f0a9973795bb5a2d8ba3e12d209

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-7-0x0000000001FD0000-0x0000000001FFE000-memory.dmp	family_redline
behavioral1/memory/2008-8-0x0000000002100000-0x000000000212C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2af4d5610934c0f627fcf69e79b61195.exe

pid process

2008 2af4d5610934c0f627fcf69e79b61195.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2af4d5610934c0f627fcf69e79b61195.exe

description pid process

Token: SeDebugPrivilege 2008 2af4d5610934c0f627fcf69e79b61195.exe

pid	process
2008	2af4d5610934c0f627fcf69e79b61195.exe

description	pid	process
Token: SeDebugPrivilege	2008	2af4d5610934c0f627fcf69e79b61195.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/2008-2-0x0000000000770000-0x0000000000781000-memory.dmp

Filesize
68KB

Download
memory/2008-3-0x0000000002060000-0x0000000002071000-memory.dmp

Filesize
68KB

Download
memory/2008-4-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-5-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/2008-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-7-0x0000000001FD0000-0x0000000001FFE000-memory.dmp

Filesize
184KB

Download
memory/2008-8-0x0000000002100000-0x000000000212C000-memory.dmp

Filesize
176KB

Download
memory/2008-11-0x0000000004A43000-0x0000000004A44000-memory.dmp

Filesize
4KB

Download
memory/2008-10-0x0000000004A42000-0x0000000004A43000-memory.dmp

Filesize
4KB

Download
memory/2008-9-0x0000000004A41000-0x0000000004A42000-memory.dmp

Filesize
4KB

Download
memory/2008-12-0x0000000004A44000-0x0000000004A46000-memory.dmp

Filesize
8KB

Download