redline | 65ac41a575bef9b2c3bccc5699bdd6962e4bc7b30618ac876a880e3528c50493

General

Target

Loader.exe
Size

1.1MB
MD5

35ef1da481434536d768ea3d38afd4c6
SHA1

55681185303670a382514f649c0c26e1aeadc53b
SHA256

65ac41a575bef9b2c3bccc5699bdd6962e4bc7b30618ac876a880e3528c50493
SHA512

e136c3aa9a679ee554eae6e5899cdfadecf0fecf0d94c5c8cd245f3abb3e77dcb7935bd3e3791220e690aa137b1558b35d03772d12dc95848ba7fc6b3b045fe1

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3840-125-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3840-126-0x0000000000418D56-mapping.dmp	family_redline

Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Loader.exe

description pid process target process

PID 3084 set thread context of 3840 3084 Loader.exe Loader.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Loader.exe

pid process

3840 Loader.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Loader.exeLoader.exe

description pid process

Token: SeDebugPrivilege 3084 Loader.exe
Token: SeDebugPrivilege 3840 Loader.exe

description	pid	process	target process
PID 3084 set thread context of 3840	3084	Loader.exe	Loader.exe

pid	process
3840	Loader.exe

description	pid	process
Token: SeDebugPrivilege	3084	Loader.exe
Token: SeDebugPrivilege	3840	Loader.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Loader.exe

description	pid	process	target process
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe
PID 3084 wrote to memory of 3840	3084	Loader.exe	Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/3084-115-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3084-117-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3084-118-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3084-119-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3084-120-0x0000000004EA0000-0x000000000539E000-memory.dmp

Filesize
5.0MB

Download
memory/3084-121-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3084-122-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3084-123-0x0000000004EA0000-0x000000000539E000-memory.dmp

Filesize
5.0MB

Download
memory/3084-124-0x00000000090F0000-0x00000000091E7000-memory.dmp

Filesize
988KB

Download
memory/3840-126-0x0000000000418D56-mapping.dmp

Download
memory/3840-129-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/3840-130-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3840-131-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3840-132-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/3840-133-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3840-134-0x00000000056D0000-0x0000000005CD6000-memory.dmp

Filesize
6.0MB

Download
memory/3840-135-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3840-138-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/3840-139-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/3840-140-0x0000000007320000-0x0000000007321000-memory.dmp

Filesize
4KB

Download
memory/3840-141-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/3840-125-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing