redline | f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00

General

Target

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
Size

145KB
MD5

975e2a8879c2d40e6db9704e75868e53
SHA1

746e10e1a92ead22dc951a2feb0ec70a696f944e
SHA256

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00
SHA512

2ebbdf66c21d3a64a92f3e56a524e9255af702158ab9c39b1700515abd64aa301f24bab5560d056b777982bceee7a99d0bdd7fc71c83d8b25e2a6bc461b83f07

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1156-122-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1156-123-0x0000000000436D2E-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

description	pid	process	target process
PID 3616 set thread context of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exef2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

pid	process
3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
1156	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exef2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

description	pid	process
Token: SeDebugPrivilege	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
Token: SeDebugPrivilege	1156	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

description	pid	process	target process
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
PID 3616 wrote to memory of 1156	3616	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe	f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe

C:\Users\Admin\AppData\Local\Temp\f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
"C:\Users\Admin\AppData\Local\Temp\f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
C:\Users\Admin\AppData\Local\Temp\f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00.exe.log
MD5
daa436d058b25bdde9e2d6fe53c6ccf6

SHA1
3fc5d1eab28db05865915d8f6d9ecf85d9cc1d9e

SHA256
afb0ed8659b214fe4251a87a1c0a362c123363497fbd50737c1ae36a9376c4cd

SHA512
84f13582070ae4a3a9bb5e4b29620e659c258ab282e43e9bfa50528c08aae875d8c33cf3647fbb1253102af39b89f3b97f316e62f544355cc9c379e04fba960a

Download Submit
memory/1156-133-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1156-136-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/1156-129-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/1156-131-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1156-130-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1156-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-123-0x0000000000436D2E-mapping.dmp

Download
memory/1156-141-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/1156-127-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1156-128-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1156-140-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/1156-139-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/1156-138-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/1156-132-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1156-135-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/3616-115-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3616-118-0x00000000054C0000-0x000000000551D000-memory.dmp

Filesize
372KB

Download
memory/3616-120-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/3616-121-0x00000000056C0000-0x00000000056E7000-memory.dmp

Filesize
156KB

Download
memory/3616-119-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3616-117-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads