redline | 4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077

General

Target

4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077.exe
Size

424KB
MD5

cdc16d54d1797f9450f4217c155db3ab
SHA1

6f56727362e1102ce839f38c0c828bead9b1521e
SHA256

4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077
SHA512

fbc4a9a06501974fb5ceb2528520008f4aeed71bfaccf7ac37f33f4d3c854aabd19ffc62c24338b59c91938c9e93f5e1c3ef84562a6f55c8e055b20e1ac2341f

Score

10^/10

redline noname discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:34865

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-116-0x00000000025A0000-0x00000000025D4000-memory.dmp	family_redline
behavioral1/memory/2708-123-0x0000000002630000-0x0000000002662000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077.exe

description pid process

Token: SeDebugPrivilege 2708 4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077.exe

description	pid	process
Token: SeDebugPrivilege	2708	4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077.exe

C:\Users\Admin\AppData\Local\Temp\4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077.exe
"C:\Users\Admin\AppData\Local\Temp\4a4ad05136a448b3a4c85192487478f65ce3b59485bfeff01ebf1a6ded04f077.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-115-0x000000000088A000-0x00000000008B5000-memory.dmp

Filesize
172KB

Download
memory/2708-116-0x00000000025A0000-0x00000000025D4000-memory.dmp

Filesize
208KB

Download
memory/2708-118-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2708-117-0x0000000002250000-0x0000000002289000-memory.dmp

Filesize
228KB

Download
memory/2708-119-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2708-120-0x00000000026F2000-0x00000000026F3000-memory.dmp

Filesize
4KB

Download
memory/2708-121-0x00000000026F3000-0x00000000026F4000-memory.dmp

Filesize
4KB

Download
memory/2708-122-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/2708-123-0x0000000002630000-0x0000000002662000-memory.dmp

Filesize
200KB

Download
memory/2708-124-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/2708-125-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2708-126-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/2708-127-0x00000000028A0000-0x00000000028DE000-memory.dmp

Filesize
248KB

Download
memory/2708-128-0x0000000005A60000-0x0000000005AAB000-memory.dmp

Filesize
300KB

Download
memory/2708-129-0x00000000026F4000-0x00000000026F6000-memory.dmp

Filesize
8KB

Download
memory/2708-130-0x0000000005C00000-0x0000000005C76000-memory.dmp

Filesize
472KB

Download
memory/2708-131-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/2708-132-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/2708-133-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/2708-134-0x0000000006610000-0x00000000067D2000-memory.dmp

Filesize
1.8MB

Download
memory/2708-135-0x00000000067E0000-0x0000000006D0C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing