redline | 554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6

General

Target

554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6.exe
Size

242KB
MD5

8e801279f06e676fc183c042f212f2b0
SHA1

2475aa39872b07a5250406b856d09947e04cbc06
SHA256

554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6
SHA512

bd0c0df301ca87fa06f9d14dd19a38d7df8fe90a23f9db27901e4f1f61a83b7dad2129678717382d2f645d6c0702ef763c65676e9089ec9a0b768014e8e05ec1

Score

10^/10

redline somebody discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

SomeBody

C2

185.215.113.29:36224

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3536-115-0x0000000002320000-0x000000000233C000-memory.dmp	family_redline
behavioral1/memory/3536-117-0x0000000002540000-0x000000000255B000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6.exe

description pid process

Token: SeDebugPrivilege 3536 554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6.exe

description	pid	process
Token: SeDebugPrivilege	3536	554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6.exe

C:\Users\Admin\AppData\Local\Temp\554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6.exe
"C:\Users\Admin\AppData\Local\Temp\554856c73772eeaf942a9b79fab982fd65484573cdf1cc9e2cbb1746e6f83be6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3536-115-0x0000000002320000-0x000000000233C000-memory.dmp

Filesize
112KB

Download
memory/3536-116-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3536-117-0x0000000002540000-0x000000000255B000-memory.dmp

Filesize
108KB

Download
memory/3536-118-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3536-119-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3536-120-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3536-121-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3536-122-0x00000000006D0000-0x00000000006F2000-memory.dmp

Filesize
136KB

Download
memory/3536-123-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/3536-124-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3536-125-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3536-126-0x0000000002342000-0x0000000002343000-memory.dmp

Filesize
4KB

Download
memory/3536-127-0x0000000002343000-0x0000000002344000-memory.dmp

Filesize
4KB

Download
memory/3536-128-0x0000000002344000-0x0000000002346000-memory.dmp

Filesize
8KB

Download
memory/3536-129-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3536-130-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/3536-131-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/3536-132-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/3536-133-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download
memory/3536-134-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/3536-135-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing