redline | 0d91aa4091d7eab7d3b2e0ba353241a1e74746a5c1a02ff26290874085fb6d57

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7v20210408
submitted
10-05-2021 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133E916268D3F97CA4E2751A1C8BCB1A.exe
Size

433KB
MD5

133e916268d3f97ca4e2751a1c8bcb1a
SHA1

fcacac94431f772151f206400f255c3b493f14ea
SHA256

0d91aa4091d7eab7d3b2e0ba353241a1e74746a5c1a02ff26290874085fb6d57
SHA512

4f7b2ee402b16bde1cd32623237d556811d56204cb227f1df9be9479624b27abd36fd35e7e69e5d3123ee1541f4ba7592fd5d19f607e4bc64de6d7ff50f3e2bd

Score

10^/10

redline pub11-1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

PUB11-1

shapkishop.store:80

razorless-shaving.store:80

fugicarfc8.store:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/484-61-0x0000000001D70000-0x0000000001D8F000-memory.dmp	family_redline
behavioral1/memory/484-65-0x0000000002170000-0x000000000218D000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

133E916268D3F97CA4E2751A1C8BCB1A.exe

pid process

484 133E916268D3F97CA4E2751A1C8BCB1A.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

133E916268D3F97CA4E2751A1C8BCB1A.exe

description pid process

Token: SeDebugPrivilege 484 133E916268D3F97CA4E2751A1C8BCB1A.exe

pid	process
484	133E916268D3F97CA4E2751A1C8BCB1A.exe

description	pid	process
Token: SeDebugPrivilege	484	133E916268D3F97CA4E2751A1C8BCB1A.exe

C:\Users\Admin\AppData\Local\Temp\133E916268D3F97CA4E2751A1C8BCB1A.exe
"C:\Users\Admin\AppData\Local\Temp\133E916268D3F97CA4E2751A1C8BCB1A.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-59-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/484-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/484-61-0x0000000001D70000-0x0000000001D8F000-memory.dmp

Filesize
124KB

Download
memory/484-63-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/484-62-0x00000000048D1000-0x00000000048D2000-memory.dmp

Filesize
4KB

Download
memory/484-64-0x00000000048D3000-0x00000000048D4000-memory.dmp

Filesize
4KB

Download
memory/484-65-0x0000000002170000-0x000000000218D000-memory.dmp

Filesize
116KB

Download
memory/484-66-0x00000000048D4000-0x00000000048D6000-memory.dmp

Filesize
8KB

Download