redline | 4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984

General

Target

4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984.exe
Size

285KB
MD5

0f35aa2dc7271aef7bf8072dd1310b00
SHA1

5c5b6fc136889ca0437bc70898a8f230dcd96009
SHA256

4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984
SHA512

f6621fa5fe87c3d01d45ea1bcb51b99478b0e57887597748590c5816918a440d3bcff07acac961bd3a203f91bdd2d222e9d5d764cb3c0bec19c3ca8563aaae14

Score

10^/10

redline udptest discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

udptest

C2

193.56.146.64:65441

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3636-118-0x0000000002330000-0x000000000235E000-memory.dmp	family_redline
behavioral1/memory/3636-126-0x0000000005050000-0x000000000507C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984.exe

description pid process

Token: SeDebugPrivilege 3636 4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984.exe

description	pid	process
Token: SeDebugPrivilege	3636	4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984.exe

C:\Users\Admin\AppData\Local\Temp\4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984.exe
"C:\Users\Admin\AppData\Local\Temp\4bd455ca12b02eefd27ba9f1e9ae81f35206be2d76e9610d09f46d72eb586984.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3636-118-0x0000000002330000-0x000000000235E000-memory.dmp

Filesize
184KB

Download
memory/3636-119-0x0000000002160000-0x000000000218B000-memory.dmp

Filesize
172KB

Download
memory/3636-120-0x0000000002190000-0x00000000021C9000-memory.dmp

Filesize
228KB

Download
memory/3636-121-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3636-122-0x0000000002372000-0x0000000002373000-memory.dmp

Filesize
4KB

Download
memory/3636-123-0x0000000002373000-0x0000000002374000-memory.dmp

Filesize
4KB

Download
memory/3636-124-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3636-125-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3636-126-0x0000000005050000-0x000000000507C000-memory.dmp

Filesize
176KB

Download
memory/3636-127-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3636-128-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3636-129-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3636-130-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3636-131-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3636-132-0x0000000002374000-0x0000000002376000-memory.dmp

Filesize
8KB

Download
memory/3636-133-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3636-134-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/3636-135-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/3636-136-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/3636-137-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3636-138-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing