redline | f9ef65133d324e1026972cbfbbe86fb0f2a4174a864dedbb45a73857770baaad

General

Target

85ef416ea4190eaf38a2697152ee6561.exe
Size

3.0MB
MD5

85ef416ea4190eaf38a2697152ee6561
SHA1

556d37b62d2068273f56a988e4aed4429d7c10f6
SHA256

f9ef65133d324e1026972cbfbbe86fb0f2a4174a864dedbb45a73857770baaad
SHA512

acc21ec3f786eaabfc1d296183e218c277fabac86345a02bf45da4c9c864a29193f6c591cc9902389e3301b021e064a2149171c434d1bf95cd62c125962fb4b7

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1432-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/1432-14-0x000000000041EFCA-mapping.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

SmartScreen.exetsetup.2.5.8.exetsetup.2.5.8.tmp

pid process

2768 SmartScreen.exe
2248 tsetup.2.5.8.exe
3288 tsetup.2.5.8.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

description pid process target process

PID 1152 set thread context of 1432 1152 85ef416ea4190eaf38a2697152ee6561.exe 85ef416ea4190eaf38a2697152ee6561.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

pid process

1432 85ef416ea4190eaf38a2697152ee6561.exe
1432 85ef416ea4190eaf38a2697152ee6561.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe

description pid process

Token: SeDebugPrivilege 1432 85ef416ea4190eaf38a2697152ee6561.exe

pid	process
2768	SmartScreen.exe
2248	tsetup.2.5.8.exe
3288	tsetup.2.5.8.tmp

description	pid	process	target process
PID 1152 set thread context of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe

pid	process
1432	85ef416ea4190eaf38a2697152ee6561.exe
1432	85ef416ea4190eaf38a2697152ee6561.exe

description	pid	process
Token: SeDebugPrivilege	1432	85ef416ea4190eaf38a2697152ee6561.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

85ef416ea4190eaf38a2697152ee6561.exe85ef416ea4190eaf38a2697152ee6561.exetsetup.2.5.8.exe

description	pid	process	target process
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1152 wrote to memory of 1432	1152	85ef416ea4190eaf38a2697152ee6561.exe	85ef416ea4190eaf38a2697152ee6561.exe
PID 1432 wrote to memory of 2768	1432	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe
PID 1432 wrote to memory of 2768	1432	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe
PID 1432 wrote to memory of 2768	1432	85ef416ea4190eaf38a2697152ee6561.exe	SmartScreen.exe
PID 1432 wrote to memory of 2248	1432	85ef416ea4190eaf38a2697152ee6561.exe	tsetup.2.5.8.exe
PID 1432 wrote to memory of 2248	1432	85ef416ea4190eaf38a2697152ee6561.exe	tsetup.2.5.8.exe
PID 1432 wrote to memory of 2248	1432	85ef416ea4190eaf38a2697152ee6561.exe	tsetup.2.5.8.exe
PID 2248 wrote to memory of 3288	2248	tsetup.2.5.8.exe	tsetup.2.5.8.tmp
PID 2248 wrote to memory of 3288	2248	tsetup.2.5.8.exe	tsetup.2.5.8.tmp
PID 2248 wrote to memory of 3288	2248	tsetup.2.5.8.exe	tsetup.2.5.8.tmp

C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe
"C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe
"C:\Users\Admin\AppData\Local\Temp\85ef416ea4190eaf38a2697152ee6561.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe
"C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe"
3⤵
- Executes dropped EXE
PID:2768

C:\Users\Admin\AppData\Local\Temp\tsetup.2.5.8.exe
"C:\Users\Admin\AppData\Local\Temp\tsetup.2.5.8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\is-O3KKJ.tmp\tsetup.2.5.8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O3KKJ.tmp\tsetup.2.5.8.tmp" /SL5="$600D4,26099021,1145856,C:\Users\Admin\AppData\Local\Temp\tsetup.2.5.8.exe"
4⤵
- Executes dropped EXE
PID:3288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\85ef416ea4190eaf38a2697152ee6561.exe.log
MD5
5b50852bf977f644bcd5997b7b5883c1

SHA1
8b53694b796620422b366dc5b8dbb3ce3060473c

SHA256
667bc8c8d53eddf6355877344b669db4fb9762e6320afc7316c3786213a254a9

SHA512
7e794fa7de5eca585000ef840ca821f36205d25b389747339d8b8d58b1ef3cd16306e62288f86027cbe6a76eeccc9dc7634a11c94ba551f3ce42ee874fac712d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe
MD5
9b1d450411df0315c8586d9e9fed1c80

SHA1
a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83

SHA256
e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46

SHA512
7a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartScreen.exe
MD5
9b1d450411df0315c8586d9e9fed1c80

SHA1
a7ee3d0e3257261ba1f6a8920fe27518c3fa7d83

SHA256
e74a678dab7fca1ea27de8906f9c8a70f3e7023f54cf96f7e2b2f63b6881de46

SHA512
7a616d85729a9971f22f01441d2f48335e44998f117707e1c2cd1b3b138b4264398ecc09da88c25d62a67b7932f71414b9b667c48afb2f1a5cb34630e161640c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O3KKJ.tmp\tsetup.2.5.8.tmp
MD5
3808041961f81510c5b4c1a3a799a6c2

SHA1
ed3b06e9b83a458c620a66ebfa78c398a4c532b7

SHA256
20240903e61098c1f4677dc2ee0790e6cece9876c07cc31d0ae081b6d4c18068

SHA512
28c608c9fc20f16efaf7969612cfd9a1bdfef62d71657e658bf2dec126f4a690155ff705a93bcb37e97b8592018faedc68e65d6100b953545d2908b860f798c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsetup.2.5.8.exe
MD5
3d227da15c50120b2a6736ac50445925

SHA1
3c5141b0d14424b1638064da24db69d98dd6d4a0

SHA256
e44605da268375e0331aed93c9102270c6fa12486a614f919b09a5c82b305d56

SHA512
9422fb85c5eeb0225c8d0f4096d5d9b551f592d73faf887a73874fa7e03c832add5bbc0d585181850141f29f02a088a3a20619b930f795605d69bf95e29bdff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsetup.2.5.8.exe
MD5
3d227da15c50120b2a6736ac50445925

SHA1
3c5141b0d14424b1638064da24db69d98dd6d4a0

SHA256
e44605da268375e0331aed93c9102270c6fa12486a614f919b09a5c82b305d56

SHA512
9422fb85c5eeb0225c8d0f4096d5d9b551f592d73faf887a73874fa7e03c832add5bbc0d585181850141f29f02a088a3a20619b930f795605d69bf95e29bdff7

Download Submit
memory/1152-7-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1152-10-0x0000000005570000-0x0000000005573000-memory.dmp

Filesize
12KB

Download
memory/1152-11-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/1152-12-0x0000000005870000-0x00000000058B8000-memory.dmp

Filesize
288KB

Download
memory/1152-9-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/1152-8-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/1152-2-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1152-6-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1152-3-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1432-25-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1432-20-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/1432-23-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1432-24-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/1432-21-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/1432-26-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/1432-27-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/1432-28-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/1432-31-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/1432-32-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/1432-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1432-22-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/1432-19-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1432-14-0x000000000041EFCA-mapping.dmp

Download
memory/1432-16-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2248-46-0x0000000000000000-mapping.dmp

Download
memory/2248-52-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2768-43-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2768-38-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2768-37-0x00000000734F0000-0x0000000073BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-49-0x0000000004CD0000-0x0000000004CD4000-memory.dmp

Filesize
16KB

Download
memory/2768-34-0x0000000000000000-mapping.dmp

Download
memory/3288-50-0x0000000000000000-mapping.dmp

Download
memory/3288-53-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing