redline | 022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d

General

Target

022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe
Size

239KB
MD5

cdc869e08689f2f02c58cf79da590dcd
SHA1

5dab80445f3e9654c763930c81db38496bacb51b
SHA256

022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d
SHA512

c0df9777b71f11338cf252131c4e50702045e55c46a05ce2a45c01c0ee7d6f9e3fe71524d7217c746bb13932d8ae0470998b626c3918c640083035f5401a5ada

Score

10^/10

redline udp discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

UDP

C2

45.9.20.20:13441

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2332-115-0x00000000023C0000-0x00000000023DF000-memory.dmp	family_redline
behavioral1/memory/2332-117-0x00000000026E0000-0x00000000026FE000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe

pid process

2332 022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe

description pid process

Token: SeDebugPrivilege 2332 022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe

pid	process
2332	022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe

description	pid	process
Token: SeDebugPrivilege	2332	022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe

C:\Users\Admin\AppData\Local\Temp\022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe
"C:\Users\Admin\AppData\Local\Temp\022b39ba6c96a3f8bedc8349167816ea8631ce3e05379bec0fabe2905183133d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-115-0x00000000023C0000-0x00000000023DF000-memory.dmp

Filesize
124KB

Download
memory/2332-116-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2332-117-0x00000000026E0000-0x00000000026FE000-memory.dmp

Filesize
120KB

Download
memory/2332-119-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2332-120-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2332-118-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/2332-121-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2332-122-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/2332-123-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/2332-124-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2332-125-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2332-126-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2332-127-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/2332-128-0x0000000004C94000-0x0000000004C96000-memory.dmp

Filesize
8KB

Download
memory/2332-129-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/2332-130-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/2332-131-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/2332-132-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/2332-133-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/2332-134-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing