redline | 5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0

General

Target

5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe
Size

402KB
MD5

454ed4e5b18d9a3b849174b54582f8b5
SHA1

dab955c4b50cd7c617a0266540904b77e87b95ac
SHA256

5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0
SHA512

801318bbe8350b19eea17ed1f5a770e4b4b5191f39153398fab0ea8bbfce975484e65c4021982147448b8a59e92caa1e478f659fda5ffaf175b4cf714015136e

Score

10^/10

redline 10fk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

10fk

C2

185.45.192.203:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1832-116-0x00000000036D0000-0x00000000036EF000-memory.dmp	family_redline
behavioral1/memory/1832-121-0x00000000039B0000-0x00000000039CE000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe

pid	process
1832	5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe
1832	5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe

description pid process

Token: SeDebugPrivilege 1832 5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe

description	pid	process
Token: SeDebugPrivilege	1832	5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe

C:\Users\Admin\AppData\Local\Temp\5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe
"C:\Users\Admin\AppData\Local\Temp\5a746e76da071e086b745f2fef4dc767b56922f3fec34ad91e40becf57c706b0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-114-0x0000000001A30000-0x0000000001A60000-memory.dmp

Filesize
192KB

Download
memory/1832-115-0x0000000000400000-0x000000000179C000-memory.dmp

Filesize
19.6MB

Download
memory/1832-116-0x00000000036D0000-0x00000000036EF000-memory.dmp

Filesize
124KB

Download
memory/1832-117-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/1832-118-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/1832-120-0x0000000005F73000-0x0000000005F74000-memory.dmp

Filesize
4KB

Download
memory/1832-119-0x0000000005F72000-0x0000000005F73000-memory.dmp

Filesize
4KB

Download
memory/1832-121-0x00000000039B0000-0x00000000039CE000-memory.dmp

Filesize
120KB

Download
memory/1832-122-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/1832-123-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/1832-124-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/1832-125-0x0000000005F74000-0x0000000005F76000-memory.dmp

Filesize
8KB

Download
memory/1832-126-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/1832-127-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/1832-128-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/1832-129-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/1832-130-0x00000000085A0000-0x00000000085A1000-memory.dmp

Filesize
4KB

Download
memory/1832-131-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/1832-132-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/1832-133-0x0000000008980000-0x0000000008981000-memory.dmp

Filesize
4KB

Download
memory/1832-134-0x0000000008C80000-0x0000000008C81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing