redline | ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5

General

Target

30073d7cc81768ddd8e3bb1b08b9f144.exe
Size

428KB
MD5

30073d7cc81768ddd8e3bb1b08b9f144
SHA1

439eb4d721bd814b04598890736685506a5bfcf1
SHA256

ddd810853f9fa4626060db340eaf5c38b614b81be0dc05f92c0f5356431bc9c5
SHA512

b90a32f870794b5e0f979774c16ee333ab032d24508a38949ddae095f87b7eb2754e3f84b8f1c234cbb219ea436ffea3e2da3d0379b9c9b7434df5b64039252a

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4712-7-0x0000000004970000-0x000000000499C000-memory.dmp	family_redline
behavioral2/memory/4712-9-0x0000000004B30000-0x0000000004B5A000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

30073d7cc81768ddd8e3bb1b08b9f144.exe

pid process

4712 30073d7cc81768ddd8e3bb1b08b9f144.exe
4712 30073d7cc81768ddd8e3bb1b08b9f144.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

30073d7cc81768ddd8e3bb1b08b9f144.exe

description pid process

Token: SeDebugPrivilege 4712 30073d7cc81768ddd8e3bb1b08b9f144.exe

pid	process
4712	30073d7cc81768ddd8e3bb1b08b9f144.exe
4712	30073d7cc81768ddd8e3bb1b08b9f144.exe

description	pid	process
Token: SeDebugPrivilege	4712	30073d7cc81768ddd8e3bb1b08b9f144.exe

C:\Users\Admin\AppData\Local\Temp\30073d7cc81768ddd8e3bb1b08b9f144.exe
"C:\Users\Admin\AppData\Local\Temp\30073d7cc81768ddd8e3bb1b08b9f144.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4712-2-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/4712-3-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4712-4-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/4712-5-0x0000000002BF0000-0x0000000002C26000-memory.dmp

Filesize
216KB

Download
memory/4712-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4712-7-0x0000000004970000-0x000000000499C000-memory.dmp

Filesize
176KB

Download
memory/4712-8-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/4712-9-0x0000000004B30000-0x0000000004B5A000-memory.dmp

Filesize
168KB

Download
memory/4712-10-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/4712-11-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4712-13-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/4712-12-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/4712-14-0x00000000072B3000-0x00000000072B4000-memory.dmp

Filesize
4KB

Download
memory/4712-15-0x00000000072B4000-0x00000000072B6000-memory.dmp

Filesize
8KB

Download
memory/4712-16-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/4712-17-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/4712-18-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/4712-19-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/4712-20-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/4712-21-0x0000000008D30000-0x0000000008D31000-memory.dmp

Filesize
4KB

Download
memory/4712-22-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/4712-23-0x0000000009560000-0x0000000009561000-memory.dmp

Filesize
4KB

Download
memory/4712-24-0x0000000009610000-0x0000000009611000-memory.dmp

Filesize
4KB

Download
memory/4712-25-0x0000000009E40000-0x0000000009E41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing