redline | 7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8

General

Target

6488c5b8360a5af1c1d0881b5659c566.exe
Size

423KB
MD5

6488c5b8360a5af1c1d0881b5659c566
SHA1

c8920d9149d4467b4967230e66e7cdf4edd132d5
SHA256

7b31e9a3eb1d1b86583a4ce6df3e7acc24fac0c6ad9bf484b0158a508476c7b8
SHA512

069ce3164342f43494d77fe7241263713e50f3448abf57559feb13283c1c89c334738760b3363c428f748cf29371e2fa4404b77044fd0bc936aa19e990f91290

Score

10^/10

redline 01.04 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

01.04

C2

golana.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6488c5b8360a5af1c1d0881b5659c566.exe

pid process

1144 6488c5b8360a5af1c1d0881b5659c566.exe
1144 6488c5b8360a5af1c1d0881b5659c566.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6488c5b8360a5af1c1d0881b5659c566.exe

description pid process

Token: SeDebugPrivilege 1144 6488c5b8360a5af1c1d0881b5659c566.exe

pid	process
1144	6488c5b8360a5af1c1d0881b5659c566.exe
1144	6488c5b8360a5af1c1d0881b5659c566.exe

description	pid	process
Token: SeDebugPrivilege	1144	6488c5b8360a5af1c1d0881b5659c566.exe

C:\Users\Admin\AppData\Local\Temp\6488c5b8360a5af1c1d0881b5659c566.exe
"C:\Users\Admin\AppData\Local\Temp\6488c5b8360a5af1c1d0881b5659c566.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-2-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1144-3-0x0000000001C20000-0x0000000001C5A000-memory.dmp

Filesize
232KB

Download
memory/1144-4-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1144-5-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/1144-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1144-7-0x0000000003980000-0x00000000039B4000-memory.dmp

Filesize
208KB

Download
memory/1144-8-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/1144-9-0x0000000005E80000-0x0000000005EB2000-memory.dmp

Filesize
200KB

Download
memory/1144-10-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/1144-12-0x0000000005EE2000-0x0000000005EE3000-memory.dmp

Filesize
4KB

Download
memory/1144-11-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/1144-13-0x0000000005EE3000-0x0000000005EE4000-memory.dmp

Filesize
4KB

Download
memory/1144-14-0x0000000005EE4000-0x0000000005EE6000-memory.dmp

Filesize
8KB

Download
memory/1144-15-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/1144-16-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/1144-17-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/1144-18-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/1144-19-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/1144-20-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/1144-21-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/1144-22-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/1144-23-0x0000000008560000-0x0000000008561000-memory.dmp

Filesize
4KB

Download
memory/1144-24-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/1144-25-0x0000000008F90000-0x0000000008F91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing