redline | fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61

General

Target

fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
Size

996KB
MD5

a1babf0484d8b02a2488d7e5f7360cf2
SHA1

1a1888655f4d514d430ecb4eb4e62f76108776fd
SHA256

fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61
SHA512

a30e380f135f51f85a109d95ec959c3b8744fc4e1e26fb7b6d8743ece2183191e72b64f8794e002f9eb097a2a8937177648f2642c12bbaf0a16e84bfa8b949aa

Score

10^/10

redline 1.12.2021 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1.12.2021

C2

95.217.213.248:42382

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1540-123-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1540-124-0x0000000000418F0A-mapping.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

description	pid	process	target process
PID 4088 set thread context of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

pid process

1540 fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

pid	process
1540	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exefde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

description	pid	process
Token: SeDebugPrivilege	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
Token: SeDebugPrivilege	1540	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

description	pid	process	target process
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
PID 4088 wrote to memory of 1540	4088	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe	fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe

C:\Users\Admin\AppData\Local\Temp\fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
"C:\Users\Admin\AppData\Local\Temp\fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
C:\Users\Admin\AppData\Local\Temp\fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61.exe.log
MD5
4de34ae26d6f8e75b21ca785fe848774

SHA1
0899d1dd34e6d8b7e513a30a57aa4bfaa4d17090

SHA256
0b9b31708187948cb3e445afc11c88cf4c34c00423e31bd83cc330012d8127f8

SHA512
aa08459ff6948555ca3f48b1537b222a56f33fba103a1b4e688667660a2b692bda2d7943f5b2d26232d5c87a0651c3e7e0c5437a78e9723d25b26036cb1c1f2b

Download Submit
memory/1540-133-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1540-135-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/1540-129-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/1540-131-0x0000000004E70000-0x0000000005476000-memory.dmp

Filesize
6.0MB

Download
memory/1540-130-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1540-140-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/1540-123-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1540-124-0x0000000000418F0A-mapping.dmp

Download
memory/1540-139-0x0000000006830000-0x0000000006831000-memory.dmp

Filesize
4KB

Download
memory/1540-128-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1540-138-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/1540-136-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/1540-134-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/1540-132-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4088-115-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/4088-120-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/4088-118-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4088-121-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4088-119-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4088-117-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4088-122-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads