redline | 562b48015b238c92691603ad4f135142e74de037e9da68138d425d0e84d1f579

General

Target

SecuriteInfo.com.Trojan.PWS.Siggen3.6097.17539.1704.exe
Size

307KB
MD5

eb3dc34b30150232a4e405da24b8cf15
SHA1

d2d249e79420b234a99774100eb997113f30c510
SHA256

562b48015b238c92691603ad4f135142e74de037e9da68138d425d0e84d1f579
SHA512

c68f922fc6e51fa5c50de52841aa407e4dfe6a1f80a97d80f098a7a8b1ab385353919485625413af78655cde6582a5338c62a590897b25a97b7edbd9266db26c

Score

10^/10

redline sewpalpadin discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

SewPalpadin

C2

185.215.113.29:1102

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3620-118-0x0000000002450000-0x000000000247E000-memory.dmp	family_redline
behavioral2/memory/3620-124-0x0000000002500000-0x000000000252C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	SecuriteInfo.com.Trojan.PWS.Siggen3.6097.17539.1704.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen3.6097.17539.1704.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen3.6097.17539.1704.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3620-118-0x0000000002450000-0x000000000247E000-memory.dmp

Filesize
184KB

Download
memory/3620-119-0x0000000002180000-0x00000000021AB000-memory.dmp

Filesize
172KB

Download
memory/3620-120-0x00000000021B0000-0x00000000021E9000-memory.dmp

Filesize
228KB

Download
memory/3620-121-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3620-122-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3620-123-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3620-124-0x0000000002500000-0x000000000252C000-memory.dmp

Filesize
176KB

Download
memory/3620-125-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3620-126-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3620-127-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3620-128-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3620-129-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/3620-131-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3620-132-0x0000000004C94000-0x0000000004C96000-memory.dmp

Filesize
8KB

Download
memory/3620-130-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/3620-133-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/3620-134-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/3620-135-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/3620-136-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/3620-137-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/3620-138-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing