redline | 0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d

General

Target

25b64c0bad59caa2bb89de749ce69e2b.exe
Size

387KB
MD5

25b64c0bad59caa2bb89de749ce69e2b
SHA1

26bd53222cdce89e0ab183db7fa9df6dd489982b
SHA256

0c16b313253259d25a77c5019df1985e6c356c56f4ce19f8119829efec7db43d
SHA512

930569743201567d74d32e34361ad13b801c6ef492543d805a1ba1553a4aa037738214e4b8e3546a69187b72478072c78ee526e77ebb77d1113e463ea6e0e173

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

C2

193.56.146.60:51431

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1696-114-0x00000000022F0000-0x000000000230B000-memory.dmp	family_redline
behavioral2/memory/1696-116-0x00000000023B0000-0x00000000023CA000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

25b64c0bad59caa2bb89de749ce69e2b.exe

pid process

1696 25b64c0bad59caa2bb89de749ce69e2b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

25b64c0bad59caa2bb89de749ce69e2b.exe

description pid process

Token: SeDebugPrivilege 1696 25b64c0bad59caa2bb89de749ce69e2b.exe

pid	process
1696	25b64c0bad59caa2bb89de749ce69e2b.exe

description	pid	process
Token: SeDebugPrivilege	1696	25b64c0bad59caa2bb89de749ce69e2b.exe

C:\Users\Admin\AppData\Local\Temp\25b64c0bad59caa2bb89de749ce69e2b.exe
"C:\Users\Admin\AppData\Local\Temp\25b64c0bad59caa2bb89de749ce69e2b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-114-0x00000000022F0000-0x000000000230B000-memory.dmp

Filesize
108KB

Download
memory/1696-115-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1696-116-0x00000000023B0000-0x00000000023CA000-memory.dmp

Filesize
104KB

Download
memory/1696-117-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/1696-118-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1696-119-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1696-121-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1696-120-0x00000000005F0000-0x000000000061F000-memory.dmp

Filesize
188KB

Download
memory/1696-122-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1696-123-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

Filesize
4KB

Download
memory/1696-124-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

Filesize
4KB

Download
memory/1696-125-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/1696-126-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/1696-127-0x0000000004AD4000-0x0000000004AD6000-memory.dmp

Filesize
8KB

Download
memory/1696-128-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1696-129-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1696-130-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/1696-131-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1696-132-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/1696-133-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing