redline | 19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38

General

Target

19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
Size

313KB
MD5

a61020210efb3d65c3ee06d385dd979c
SHA1

5ac0ce24fb565fd5000d50f92ed9c59bd409a4ce
SHA256

19d390fbe3da552929498622c2588a3bcba4cf9c13b8fe98503f94fe6ce5fa38
SHA512

fae97e45a302d68c70d49b85fdcdbd34ea2a044ac8faee2fcbd9bf476f61e7687dd6f9c0398e1bc8f1c2a7c2b57271e9ffdf3d7138cbcbf4211ceb40954f57e5

Score

10^/10

redline build1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

build1

C2

77.232.36.199:32336

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-116-0x00000000026D0000-0x00000000026EF000-memory.dmp	family_redline
behavioral2/memory/4648-119-0x0000000002770000-0x000000000278E000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe

pid process

4648 19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
4648 19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe

description pid process

Token: SeDebugPrivilege 4648 19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe

pid	process
4648	19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
4648	19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe

description	pid	process
Token: SeDebugPrivilege	4648	19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe

C:\Users\Admin\AppData\Local\Temp\19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe
"C:\Users\Admin\AppData\Local\Temp\19d390fbe3da552929498622c2588a3bcba4cf9c13b8f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4648-115-0x0000000000400000-0x000000000087E000-memory.dmp

Filesize
4.5MB

Download
memory/4648-114-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/4648-116-0x00000000026D0000-0x00000000026EF000-memory.dmp

Filesize
124KB

Download
memory/4648-117-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4648-118-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4648-119-0x0000000002770000-0x000000000278E000-memory.dmp

Filesize
120KB

Download
memory/4648-120-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/4648-121-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4648-122-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/4648-123-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/4648-125-0x0000000005293000-0x0000000005294000-memory.dmp

Filesize
4KB

Download
memory/4648-124-0x0000000005292000-0x0000000005293000-memory.dmp

Filesize
4KB

Download
memory/4648-126-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/4648-127-0x0000000005294000-0x0000000005296000-memory.dmp

Filesize
8KB

Download
memory/4648-128-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/4648-129-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/4648-130-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/4648-131-0x0000000008EA0000-0x0000000008EA1000-memory.dmp

Filesize
4KB

Download
memory/4648-132-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4648-133-0x00000000090F0000-0x00000000090F1000-memory.dmp

Filesize
4KB

Download
memory/4648-134-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing