redline | f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93

General

Target

f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93.exe
Size

369KB
MD5

c1716f153e21f8b30a0f941f236ac971
SHA1

45fb349b55678d02dd47bd1374eb153580c7f9ab
SHA256

f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93
SHA512

776b39991ae6c4aca070ad69cf6a0fecd1ec1002c483eba9b4d630a6d8b3f20b2ac9d7e3b34711c675e44293a990146f56c9e019a6df4ef24fadc87956cf6669

Score

10^/10

redline sewpalp discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

sewPalp

C2

185.215.113.29:24645

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2476-119-0x0000000003500000-0x000000000351F000-memory.dmp	family_redline
behavioral1/memory/2476-121-0x00000000036D0000-0x00000000036ED000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93.exe

description pid process

Token: SeDebugPrivilege 2476 f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93.exe

description	pid	process
Token: SeDebugPrivilege	2476	f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93.exe

C:\Users\Admin\AppData\Local\Temp\f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93.exe
"C:\Users\Admin\AppData\Local\Temp\f9587d1570af28b40a3e9e93940ade166037a3d6c9b33d5ed3beadd99e0eac93.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-117-0x0000000000400000-0x00000000016CF000-memory.dmp

Filesize
18.8MB

Download
memory/2476-116-0x0000000003400000-0x0000000003430000-memory.dmp

Filesize
192KB

Download
memory/2476-118-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/2476-119-0x0000000003500000-0x000000000351F000-memory.dmp

Filesize
124KB

Download
memory/2476-120-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/2476-121-0x00000000036D0000-0x00000000036ED000-memory.dmp

Filesize
116KB

Download
memory/2476-122-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/2476-123-0x0000000005E82000-0x0000000005E83000-memory.dmp

Filesize
4KB

Download
memory/2476-124-0x0000000005E83000-0x0000000005E84000-memory.dmp

Filesize
4KB

Download
memory/2476-125-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2476-126-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/2476-127-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/2476-128-0x0000000005E84000-0x0000000005E86000-memory.dmp

Filesize
8KB

Download
memory/2476-129-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/2476-130-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/2476-131-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/2476-132-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/2476-133-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/2476-134-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/2476-135-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing