redline | 0ccfbc16ae8b084b8ea6c8585ec8973f78304e18ad0317b51beca03c5c0eb499

Analysis

max time kernel
22s
max time network
24s
platform
windows7_x64
resource
win7v20210408
submitted
05-08-2021 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6621C0E6B6A64C9244B3FEA0FD8E662D.exe
Size

98KB
MD5

6621c0e6b6a64c9244b3fea0fd8e662d
SHA1

f9ef8d8b7a6d1ad92971e35d96d36642e18a1f8d
SHA256

0ccfbc16ae8b084b8ea6c8585ec8973f78304e18ad0317b51beca03c5c0eb499
SHA512

6fd6e7b02bab94f9d23f1d407dd069d72c31819b6823fd8dcf2989bd165dd6b840d44afcaa5b3fd7d2063d36ad83f528b0112aa0c235c980f9387d0260c72589

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6621C0E6B6A64C9244B3FEA0FD8E662D.exe

pid process

1824 6621C0E6B6A64C9244B3FEA0FD8E662D.exe
1824 6621C0E6B6A64C9244B3FEA0FD8E662D.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6621C0E6B6A64C9244B3FEA0FD8E662D.exe

description pid process

Token: SeDebugPrivilege 1824 6621C0E6B6A64C9244B3FEA0FD8E662D.exe

pid	process
1824	6621C0E6B6A64C9244B3FEA0FD8E662D.exe
1824	6621C0E6B6A64C9244B3FEA0FD8E662D.exe

description	pid	process
Token: SeDebugPrivilege	1824	6621C0E6B6A64C9244B3FEA0FD8E662D.exe

C:\Users\Admin\AppData\Local\Temp\6621C0E6B6A64C9244B3FEA0FD8E662D.exe
"C:\Users\Admin\AppData\Local\Temp\6621C0E6B6A64C9244B3FEA0FD8E662D.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-59-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1824-61-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download