redline | 2a103ceb37522c1bb5f9b6336e52c3c8341b15276bbc44149ac65d26375b4c1d

General

Target

47e27edcb9be738259f5c3d81423c613.exe
Size

395KB
MD5

47e27edcb9be738259f5c3d81423c613
SHA1

3974b52edd4a1b1dedc6c2dcb308f735e444c131
SHA256

2a103ceb37522c1bb5f9b6336e52c3c8341b15276bbc44149ac65d26375b4c1d
SHA512

7144947aa0f4be257e444e6e2bf61797b6dcdfd2390a46a5ceec17530d4f3b8e8139e3648d63aad35bc3d81e39b98a4fe2e12597d927e5144e1e3e05e0d42a58

Score

10^/10

redline 3 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

3

C2

45.147.228.207:1569

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4736-116-0x0000000003440000-0x000000000345F000-memory.dmp	family_redline
behavioral2/memory/4736-122-0x00000000036D0000-0x00000000036EE000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

47e27edcb9be738259f5c3d81423c613.exe

pid process

4736 47e27edcb9be738259f5c3d81423c613.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

47e27edcb9be738259f5c3d81423c613.exe

description pid process

Token: SeDebugPrivilege 4736 47e27edcb9be738259f5c3d81423c613.exe

pid	process
4736	47e27edcb9be738259f5c3d81423c613.exe

description	pid	process
Token: SeDebugPrivilege	4736	47e27edcb9be738259f5c3d81423c613.exe

C:\Users\Admin\AppData\Local\Temp\47e27edcb9be738259f5c3d81423c613.exe
"C:\Users\Admin\AppData\Local\Temp\47e27edcb9be738259f5c3d81423c613.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4736-115-0x00000000017A0000-0x00000000018EA000-memory.dmp

Filesize
1.3MB

Download
memory/4736-116-0x0000000003440000-0x000000000345F000-memory.dmp

Filesize
124KB

Download
memory/4736-117-0x0000000000400000-0x000000000179A000-memory.dmp

Filesize
19.6MB

Download
memory/4736-118-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/4736-119-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/4736-120-0x0000000003652000-0x0000000003653000-memory.dmp

Filesize
4KB

Download
memory/4736-121-0x0000000003653000-0x0000000003654000-memory.dmp

Filesize
4KB

Download
memory/4736-122-0x00000000036D0000-0x00000000036EE000-memory.dmp

Filesize
120KB

Download
memory/4736-123-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/4736-124-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/4736-125-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/4736-126-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/4736-127-0x0000000003654000-0x0000000003656000-memory.dmp

Filesize
8KB

Download
memory/4736-128-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/4736-129-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/4736-130-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/4736-131-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/4736-132-0x0000000008580000-0x0000000008581000-memory.dmp

Filesize
4KB

Download
memory/4736-133-0x0000000008640000-0x0000000008641000-memory.dmp

Filesize
4KB

Download
memory/4736-134-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing