redline | f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00

General

Target

975e2a8879c2d40e6db9704e75868e53.exe
Size

145KB
MD5

975e2a8879c2d40e6db9704e75868e53
SHA1

746e10e1a92ead22dc951a2feb0ec70a696f944e
SHA256

f2b97834b52dab540606e6cf181131ea9c9ad621c8d7ef9f6f4dc1ad40de3a00
SHA512

2ebbdf66c21d3a64a92f3e56a524e9255af702158ab9c39b1700515abd64aa301f24bab5560d056b777982bceee7a99d0bdd7fc71c83d8b25e2a6bc461b83f07

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1348-63-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1348-64-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1348-65-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1348-66-0x0000000000436D2E-mapping.dmp	family_redline
behavioral1/memory/1348-67-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

975e2a8879c2d40e6db9704e75868e53.exe

description pid process target process

PID 1196 set thread context of 1348 1196 975e2a8879c2d40e6db9704e75868e53.exe 975e2a8879c2d40e6db9704e75868e53.exe

description	pid	process	target process
PID 1196 set thread context of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

975e2a8879c2d40e6db9704e75868e53.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	975e2a8879c2d40e6db9704e75868e53.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	975e2a8879c2d40e6db9704e75868e53.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	975e2a8879c2d40e6db9704e75868e53.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

975e2a8879c2d40e6db9704e75868e53.exe975e2a8879c2d40e6db9704e75868e53.exe

pid process

1196 975e2a8879c2d40e6db9704e75868e53.exe
1196 975e2a8879c2d40e6db9704e75868e53.exe
1348 975e2a8879c2d40e6db9704e75868e53.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

975e2a8879c2d40e6db9704e75868e53.exe975e2a8879c2d40e6db9704e75868e53.exe

description pid process

Token: SeDebugPrivilege 1196 975e2a8879c2d40e6db9704e75868e53.exe
Token: SeDebugPrivilege 1348 975e2a8879c2d40e6db9704e75868e53.exe

pid	process
1196	975e2a8879c2d40e6db9704e75868e53.exe
1196	975e2a8879c2d40e6db9704e75868e53.exe
1348	975e2a8879c2d40e6db9704e75868e53.exe

description	pid	process
Token: SeDebugPrivilege	1196	975e2a8879c2d40e6db9704e75868e53.exe
Token: SeDebugPrivilege	1348	975e2a8879c2d40e6db9704e75868e53.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

975e2a8879c2d40e6db9704e75868e53.exe

description	pid	process	target process
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe
PID 1196 wrote to memory of 1348	1196	975e2a8879c2d40e6db9704e75868e53.exe	975e2a8879c2d40e6db9704e75868e53.exe

C:\Users\Admin\AppData\Local\Temp\975e2a8879c2d40e6db9704e75868e53.exe
"C:\Users\Admin\AppData\Local\Temp\975e2a8879c2d40e6db9704e75868e53.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\975e2a8879c2d40e6db9704e75868e53.exe
C:\Users\Admin\AppData\Local\Temp\975e2a8879c2d40e6db9704e75868e53.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-55-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/1196-57-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1196-58-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1196-59-0x0000000001050000-0x00000000010AD000-memory.dmp

Filesize
372KB

Download
memory/1196-60-0x0000000000BD0000-0x0000000000BF7000-memory.dmp

Filesize
156KB

Download
memory/1348-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-66-0x0000000000436D2E-mapping.dmp

Download
memory/1348-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-70-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1348-71-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads