redline | 5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69

General

Target

5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69.exe
Size

387KB
MD5

e5bea294619995c8cf03c4b577824c98
SHA1

63869d29a98cc6df192305abced2ccb93c4313a3
SHA256

5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69
SHA512

6fc5c8007db4785df1ce3bb59e7d249bc09e000a88a5779b2270407e52cc8ffe274ab4917d96e137b46602986af1c574ab25f9d4bb7c8756e00f892d2e399406

Score

10^/10

redline noname discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:34865

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2476-118-0x0000000002780000-0x00000000027B4000-memory.dmp	family_redline
behavioral1/memory/2476-123-0x0000000002920000-0x0000000002952000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69.exe

description pid process

Token: SeDebugPrivilege 2476 5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69.exe

description	pid	process
Token: SeDebugPrivilege	2476	5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69.exe

C:\Users\Admin\AppData\Local\Temp\5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69.exe
"C:\Users\Admin\AppData\Local\Temp\5796ecff3c1ba56d5a4621541b6ae78b2886ba045ce49597c14296cb23dfbe69.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-115-0x00000000008C6000-0x00000000008F2000-memory.dmp

Filesize
176KB

Download
memory/2476-117-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2476-116-0x0000000000860000-0x0000000000899000-memory.dmp

Filesize
228KB

Download
memory/2476-118-0x0000000002780000-0x00000000027B4000-memory.dmp

Filesize
208KB

Download
memory/2476-120-0x0000000004EC2000-0x0000000004EC3000-memory.dmp

Filesize
4KB

Download
memory/2476-119-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2476-121-0x0000000004EC3000-0x0000000004EC4000-memory.dmp

Filesize
4KB

Download
memory/2476-122-0x0000000004ED0000-0x00000000053CE000-memory.dmp

Filesize
5.0MB

Download
memory/2476-123-0x0000000002920000-0x0000000002952000-memory.dmp

Filesize
200KB

Download
memory/2476-124-0x00000000053D0000-0x00000000059D6000-memory.dmp

Filesize
6.0MB

Download
memory/2476-125-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/2476-126-0x0000000004D90000-0x0000000004E9A000-memory.dmp

Filesize
1.0MB

Download
memory/2476-127-0x0000000005A00000-0x0000000005A3E000-memory.dmp

Filesize
248KB

Download
memory/2476-128-0x0000000004EC4000-0x0000000004EC6000-memory.dmp

Filesize
8KB

Download
memory/2476-129-0x0000000005A50000-0x0000000005A9B000-memory.dmp

Filesize
300KB

Download
memory/2476-130-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/2476-131-0x00000000063B0000-0x0000000006426000-memory.dmp

Filesize
472KB

Download
memory/2476-132-0x0000000006450000-0x00000000064E2000-memory.dmp

Filesize
584KB

Download
memory/2476-133-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/2476-134-0x0000000006770000-0x0000000006932000-memory.dmp

Filesize
1.8MB

Download
memory/2476-135-0x0000000006940000-0x0000000006E6C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing