redline | 541eea3db458d43683da16a81d5d9edc6c0b020008a5a3314ba624a4339917a3

General

Target

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe
Size

205KB
MD5

ecd8ffbea7663996b2d7298bb3088e6a
SHA1

0f57aa1bbdca911955036057ea54ccc3a4eb45e2
SHA256

541eea3db458d43683da16a81d5d9edc6c0b020008a5a3314ba624a4339917a3
SHA512

a9de3f8adca174dd9f1322c8236c0d0ce601335cb61c6be06a61c7c66ef7cc5a6ddfb0bedcf1c00520a1b45ec3c6e21c7d55b4a5a2b3dbb277dcaaa386c20d9d

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-4-0x0000000002340000-0x0000000002369000-memory.dmp	family_redline
behavioral2/memory/4716-6-0x0000000004E50000-0x0000000004E77000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe

pid process

4716 SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe
4716 SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe

description pid process

Token: SeDebugPrivilege 4716 SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe

pid	process
4716	SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe
4716	SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe

description	pid	process
Token: SeDebugPrivilege	4716	SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4716-2-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4716-3-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4716-4-0x0000000002340000-0x0000000002369000-memory.dmp

Filesize
164KB

Download
memory/4716-5-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/4716-6-0x0000000004E50000-0x0000000004E77000-memory.dmp

Filesize
156KB

Download
memory/4716-7-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4716-8-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/4716-9-0x00000000023D2000-0x00000000023D3000-memory.dmp

Filesize
4KB

Download
memory/4716-10-0x00000000023D3000-0x00000000023D4000-memory.dmp

Filesize
4KB

Download
memory/4716-11-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4716-12-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4716-13-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/4716-14-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4716-15-0x00000000023D4000-0x00000000023D6000-memory.dmp

Filesize
8KB

Download
memory/4716-16-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4716-17-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/4716-18-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/4716-19-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/4716-20-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/4716-21-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/4716-22-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/4716-23-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing