redline | cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242

General

Target

cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe
Size

239KB
MD5

e4304558c9e50eb91d6c5ce1f15a97d3
SHA1

b7a1325cf6ef06518aa9973f183d80ff497a1fac
SHA256

cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242
SHA512

d7b8a7561fbb7c2fe876a551843a2cfb21bff564490cb5434f303fd27145ef41e9a3bb57bf5362c5d234af02feffec162a9afd6d805e3dbd14484dba50a993c2

Score

10^/10

redline udp discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

UDP

C2

45.9.20.20:13441

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2384-115-0x0000000002550000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/2384-117-0x00000000025D0000-0x00000000025EE000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe

pid process

2384 cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe

description pid process

Token: SeDebugPrivilege 2384 cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe

pid	process
2384	cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe

description	pid	process
Token: SeDebugPrivilege	2384	cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe

C:\Users\Admin\AppData\Local\Temp\cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe
"C:\Users\Admin\AppData\Local\Temp\cfb2d2becb527eb6016ab52682ff8edeccf2412457b66d450ce68eeff0435242.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-115-0x0000000002550000-0x000000000256F000-memory.dmp

Filesize
124KB

Download
memory/2384-116-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2384-117-0x00000000025D0000-0x00000000025EE000-memory.dmp

Filesize
120KB

Download
memory/2384-118-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/2384-119-0x0000000002210000-0x0000000002240000-memory.dmp

Filesize
192KB

Download
memory/2384-120-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2384-121-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2384-122-0x0000000004D92000-0x0000000004D93000-memory.dmp

Filesize
4KB

Download
memory/2384-124-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2384-123-0x0000000004D93000-0x0000000004D94000-memory.dmp

Filesize
4KB

Download
memory/2384-125-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2384-126-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/2384-127-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/2384-128-0x0000000004D94000-0x0000000004D96000-memory.dmp

Filesize
8KB

Download
memory/2384-129-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/2384-130-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/2384-131-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2384-132-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/2384-133-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/2384-134-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing