redline | 909aaea4a3072305c0bcaab9d7b9cab70990305541db276ab8d870e3fbc51a18

Analysis

max time kernel
301s
max time network
297s
platform
windows10_x64
resource
win10v20210410
submitted
23-08-2021 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uMWmES83oduRUCtOU5jzfQkJ.exe
Size

264KB
MD5

c7ccbd62c259a382501ff67408594011
SHA1

c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA256

8cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA512

5f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

205.185.119.191:18846

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral27/memory/3248-118-0x0000000004B60000-0x0000000004B7C000-memory.dmp	family_redline
behavioral27/memory/3248-120-0x0000000004BC0000-0x0000000004BDA000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

uMWmES83oduRUCtOU5jzfQkJ.exe

pid process

3248 uMWmES83oduRUCtOU5jzfQkJ.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uMWmES83oduRUCtOU5jzfQkJ.exe

description pid process

Token: SeDebugPrivilege 3248 uMWmES83oduRUCtOU5jzfQkJ.exe

pid	process
3248	uMWmES83oduRUCtOU5jzfQkJ.exe

description	pid	process
Token: SeDebugPrivilege	3248	uMWmES83oduRUCtOU5jzfQkJ.exe

C:\Users\Admin\AppData\Local\Temp\uMWmES83oduRUCtOU5jzfQkJ.exe
"C:\Users\Admin\AppData\Local\Temp\uMWmES83oduRUCtOU5jzfQkJ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3248-117-0x0000000002CD0000-0x0000000002D7E000-memory.dmp

Filesize
696KB

Download
memory/3248-118-0x0000000004B60000-0x0000000004B7C000-memory.dmp

Filesize
112KB

Download
memory/3248-119-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/3248-120-0x0000000004BC0000-0x0000000004BDA000-memory.dmp

Filesize
104KB

Download
memory/3248-121-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3248-122-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/3248-123-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3248-124-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/3248-126-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3248-125-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/3248-128-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/3248-127-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/3248-129-0x0000000004BB4000-0x0000000004BB6000-memory.dmp

Filesize
8KB

Download
memory/3248-130-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/3248-131-0x0000000008CC0000-0x0000000008CC1000-memory.dmp

Filesize
4KB

Download
memory/3248-132-0x0000000008E90000-0x0000000008E91000-memory.dmp

Filesize
4KB

Download
memory/3248-133-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/3248-134-0x0000000009840000-0x0000000009841000-memory.dmp

Filesize
4KB

Download
memory/3248-135-0x0000000009900000-0x0000000009901000-memory.dmp

Filesize
4KB

Download
memory/3248-136-0x0000000009A10000-0x0000000009A11000-memory.dmp

Filesize
4KB

Download