redline | 1954eb49f231c2a70291889f5b12331953adf76f1e4179c87b7b9cd871079d28

Analysis

Target

1954eb49f231c2a70291889f5b12331953adf76f1e417.exe
Size

407KB
MD5

f65bef156e7fe9ad83b9bf3936fb53b9
SHA1

51a9ce72d9f222ec08ca7b99e2bd724ea567db16
SHA256

1954eb49f231c2a70291889f5b12331953adf76f1e4179c87b7b9cd871079d28
SHA512

fbbe57102523d44d65488a37661e023a55a9764f482fa99af023e38fc736b1aafdbd42fe194ef141f805f76e293d641979bd4ac302be889ac4c83df45a7e8352

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-57-0x0000000000390000-0x00000000003AC000-memory.dmp	family_redline
behavioral1/memory/1668-61-0x0000000002C10000-0x0000000002C2B000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1954eb49f231c2a70291889f5b12331953adf76f1e417.exe

description pid process

Token: SeDebugPrivilege 1668 1954eb49f231c2a70291889f5b12331953adf76f1e417.exe

description	pid	process
Token: SeDebugPrivilege	1668	1954eb49f231c2a70291889f5b12331953adf76f1e417.exe

C:\Users\Admin\AppData\Local\Temp\1954eb49f231c2a70291889f5b12331953adf76f1e417.exe
"C:\Users\Admin\AppData\Local\Temp\1954eb49f231c2a70291889f5b12331953adf76f1e417.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1668-54-0x00000000010F8000-0x000000000111B000-memory.dmp

Filesize
140KB

Download
memory/1668-55-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1668-56-0x0000000000400000-0x0000000001036000-memory.dmp

Filesize
12.2MB

Download
memory/1668-57-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/1668-58-0x0000000002BD1000-0x0000000002BD2000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x0000000002BD2000-0x0000000002BD3000-memory.dmp

Filesize
4KB

Download
memory/1668-60-0x0000000002BD3000-0x0000000002BD4000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x0000000002C10000-0x0000000002C2B000-memory.dmp

Filesize
108KB

Download
memory/1668-62-0x0000000002BD4000-0x0000000002BD6000-memory.dmp

Filesize
8KB

Download