redline | 4965e6e224897f69fa884aded52e0dd664bc21f16a0733bd01f733dee66868e8

General

Target

593a20557bc4f2e48090138ac3780b32.exe
Size

291KB
MD5

593a20557bc4f2e48090138ac3780b32
SHA1

a570a1e1c270f4dde80689e600473f47fef6c985
SHA256

4965e6e224897f69fa884aded52e0dd664bc21f16a0733bd01f733dee66868e8
SHA512

1cf75da34b1b1b5e78de3d2a44a9a01f127ab35197b6cb6debd6212d8f6b2e492bd5d9babfb6ae0123306c306a82f7e75be6466da110ae1983048d786d5dad89

Score

10^/10

redline 1309 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1309

C2

95.217.77.23:53845

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4656-115-0x0000000003ED0000-0x0000000003EEF000-memory.dmp	family_redline
behavioral2/memory/4656-117-0x0000000004250000-0x000000000426E000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

593a20557bc4f2e48090138ac3780b32.exe

pid process

4656 593a20557bc4f2e48090138ac3780b32.exe
4656 593a20557bc4f2e48090138ac3780b32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

593a20557bc4f2e48090138ac3780b32.exe

description pid process

Token: SeDebugPrivilege 4656 593a20557bc4f2e48090138ac3780b32.exe

pid	process
4656	593a20557bc4f2e48090138ac3780b32.exe
4656	593a20557bc4f2e48090138ac3780b32.exe

description	pid	process
Token: SeDebugPrivilege	4656	593a20557bc4f2e48090138ac3780b32.exe

C:\Users\Admin\AppData\Local\Temp\593a20557bc4f2e48090138ac3780b32.exe
"C:\Users\Admin\AppData\Local\Temp\593a20557bc4f2e48090138ac3780b32.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4656-115-0x0000000003ED0000-0x0000000003EEF000-memory.dmp

Filesize
124KB

Download
memory/4656-116-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/4656-117-0x0000000004250000-0x000000000426E000-memory.dmp

Filesize
120KB

Download
memory/4656-118-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/4656-119-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/4656-120-0x0000000003D40000-0x0000000003D70000-memory.dmp

Filesize
192KB

Download
memory/4656-122-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/4656-121-0x0000000000400000-0x0000000002167000-memory.dmp

Filesize
29.4MB

Download
memory/4656-123-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4656-124-0x0000000003E32000-0x0000000003E33000-memory.dmp

Filesize
4KB

Download
memory/4656-125-0x0000000003E33000-0x0000000003E34000-memory.dmp

Filesize
4KB

Download
memory/4656-126-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/4656-127-0x0000000003E34000-0x0000000003E36000-memory.dmp

Filesize
8KB

Download
memory/4656-128-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/4656-129-0x0000000008640000-0x0000000008641000-memory.dmp

Filesize
4KB

Download
memory/4656-130-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/4656-131-0x0000000008E30000-0x0000000008E31000-memory.dmp

Filesize
4KB

Download
memory/4656-132-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/4656-133-0x00000000092C0000-0x00000000092C1000-memory.dmp

Filesize
4KB

Download
memory/4656-134-0x0000000009280000-0x0000000009281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing