redline | 1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc

General

Target

1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe
Size

361KB
MD5

60c1c744ea8ef33fecca02fc1ed86d87
SHA1

8c63cb28883d6816e13a4a1da3915233687fb33f
SHA256

1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc
SHA512

082e8176ab8648e3427f2fcbc6c472ea47091e14c9062214cc4f3a6b33336e18a8c2c5d48cda0be855b1f9e4d9c06ea90584ee5b8b6381b5cb01f474642b2ea0

Score

10^/10

redline 09.11 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

09.11

C2

185.215.113.17:7700

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2728-118-0x0000000002650000-0x000000000267E000-memory.dmp	family_redline
behavioral1/memory/2728-120-0x00000000027F0000-0x000000000281C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe

pid process

2728 1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe

description pid process

Token: SeDebugPrivilege 2728 1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe

pid	process
2728	1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe

description	pid	process
Token: SeDebugPrivilege	2728	1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe

C:\Users\Admin\AppData\Local\Temp\1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe
"C:\Users\Admin\AppData\Local\Temp\1e1daae3257119a71a5f017ca4986a933a961b226955b651fc91502ac391a5fc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-116-0x00000000021D0000-0x0000000002209000-memory.dmp

Filesize
228KB

Download
memory/2728-115-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/2728-117-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2728-118-0x0000000002650000-0x000000000267E000-memory.dmp

Filesize
184KB

Download
memory/2728-119-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2728-120-0x00000000027F0000-0x000000000281C000-memory.dmp

Filesize
176KB

Download
memory/2728-122-0x0000000004D62000-0x0000000004D63000-memory.dmp

Filesize
4KB

Download
memory/2728-123-0x0000000004D63000-0x0000000004D64000-memory.dmp

Filesize
4KB

Download
memory/2728-121-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2728-124-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/2728-125-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2728-126-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2728-127-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/2728-128-0x0000000004D64000-0x0000000004D66000-memory.dmp

Filesize
8KB

Download
memory/2728-129-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2728-130-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/2728-131-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/2728-132-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/2728-133-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/2728-134-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/2728-135-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing