redline | f8daaa065a27508babcd8e898c3f1eda824531105cdcf07ceceee2fda53d5a5f

General

Target

f1ea8c489b66edd67b4eb1d103d64140.exe
Size

421KB
MD5

f1ea8c489b66edd67b4eb1d103d64140
SHA1

183a88297c47ed713c001fff172d752a3cf0a9fb
SHA256

f8daaa065a27508babcd8e898c3f1eda824531105cdcf07ceceee2fda53d5a5f
SHA512

92b219df646384f8787a2c97442ca62b19fbe05c8ed7821da60551a912800c2cb8788f414465e380ff0db546193bff2d2093105c12b8df9645ca51d649c024d5

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2528-122-0x0000000000230000-0x0000000000295000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

9280844437.exe

pid process

2528 9280844437.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9280844437.exe

pid process

2528 9280844437.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9280844437.exe

pid process

2528 9280844437.exe
2528 9280844437.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9280844437.exe

description pid process

Token: SeDebugPrivilege 2528 9280844437.exe

pid	process
2528	9280844437.exe

pid	process
2528	9280844437.exe

pid	process
2528	9280844437.exe
2528	9280844437.exe

description	pid	process
Token: SeDebugPrivilege	2528	9280844437.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f1ea8c489b66edd67b4eb1d103d64140.execmd.exe

description	pid	process	target process
PID 2460 wrote to memory of 2276	2460	f1ea8c489b66edd67b4eb1d103d64140.exe	cmd.exe
PID 2460 wrote to memory of 2276	2460	f1ea8c489b66edd67b4eb1d103d64140.exe	cmd.exe
PID 2460 wrote to memory of 2276	2460	f1ea8c489b66edd67b4eb1d103d64140.exe	cmd.exe
PID 2276 wrote to memory of 2528	2276	cmd.exe	9280844437.exe
PID 2276 wrote to memory of 2528	2276	cmd.exe	9280844437.exe
PID 2276 wrote to memory of 2528	2276	cmd.exe	9280844437.exe

C:\Users\Admin\AppData\Local\Temp\f1ea8c489b66edd67b4eb1d103d64140.exe
"C:\Users\Admin\AppData\Local\Temp\f1ea8c489b66edd67b4eb1d103d64140.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9280844437.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\9280844437.exe
"C:\Users\Admin\AppData\Local\Temp\9280844437.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9280844437.exe
MD5
9753fcfc4f6d3c1c7c4928e0285ac883

SHA1
ae3cabef7e0474fdf55f9f23336ee0a2de5d20ad

SHA256
029ab5454401a5c37fca1c8dcd240b6727cf0ccb8c5aa1d121196e2a76db5f4d

SHA512
e91092e034ac4fc1884887f18031605033e5e56d6f845fa92ccbdef3dd231c5070be588b21c5993dd2d33e7b5b44b5608570389fe411eff04d542fc064753aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9280844437.exe
MD5
9753fcfc4f6d3c1c7c4928e0285ac883

SHA1
ae3cabef7e0474fdf55f9f23336ee0a2de5d20ad

SHA256
029ab5454401a5c37fca1c8dcd240b6727cf0ccb8c5aa1d121196e2a76db5f4d

SHA512
e91092e034ac4fc1884887f18031605033e5e56d6f845fa92ccbdef3dd231c5070be588b21c5993dd2d33e7b5b44b5608570389fe411eff04d542fc064753aac

Download Submit
memory/2276-118-0x0000000000000000-mapping.dmp

Download
memory/2460-117-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2460-116-0x00000000004F0000-0x000000000053A000-memory.dmp

Filesize
296KB

Download
memory/2460-115-0x0000000000761000-0x000000000078B000-memory.dmp

Filesize
168KB

Download
memory/2528-130-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/2528-133-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/2528-123-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/2528-124-0x0000000075AF0000-0x0000000075CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2528-125-0x0000000003010000-0x0000000003055000-memory.dmp

Filesize
276KB

Download
memory/2528-126-0x0000000075940000-0x0000000075A31000-memory.dmp

Filesize
964KB

Download
memory/2528-127-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2528-129-0x0000000070C80000-0x0000000070D00000-memory.dmp

Filesize
512KB

Download
memory/2528-119-0x0000000000000000-mapping.dmp

Download
memory/2528-131-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2528-132-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/2528-122-0x0000000000230000-0x0000000000295000-memory.dmp

Filesize
404KB

Download
memory/2528-134-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/2528-135-0x0000000073FD0000-0x0000000074554000-memory.dmp

Filesize
5.5MB

Download
memory/2528-136-0x00000000760A0000-0x00000000773E8000-memory.dmp

Filesize
19.3MB

Download
memory/2528-137-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/2528-138-0x000000006EEF0000-0x000000006EF3B000-memory.dmp

Filesize
300KB

Download
memory/2528-139-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/2528-140-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2528-141-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/2528-142-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/2528-143-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/2528-144-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/2528-145-0x0000000007D20000-0x0000000007D21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing