redline | 880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb

General

Target

880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb.exe
Size

391KB
MD5

099cea11e0ac7a6194ce8c173a159d8d
SHA1

8bbab3d70dbd961285f3ff9b48b13cf1b1997b9f
SHA256

880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb
SHA512

3a6c59f8aaf1b4de3e00e3353e575de7830e8df445a35e0678bd529553c699a17c7bb1dcd925bdaf3a2a843a6e8b819783b61e6dc33473c7e7e0670c7454d263

Score

10^/10

redline noname discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

NONAME

C2

45.9.20.111:1355

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3328-119-0x00000000023A0000-0x00000000023D4000-memory.dmp	family_redline
behavioral1/memory/3328-123-0x00000000025A0000-0x00000000025D2000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb.exe

description pid process

Token: SeDebugPrivilege 3328 880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb.exe

description	pid	process
Token: SeDebugPrivilege	3328	880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb.exe

C:\Users\Admin\AppData\Local\Temp\880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb.exe
"C:\Users\Admin\AppData\Local\Temp\880052859453b31ebe34e316456e7a8974f508aa5fa8e20b7ae7dc6ff06e5dbb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3328-115-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3328-116-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3328-117-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3328-118-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3328-119-0x00000000023A0000-0x00000000023D4000-memory.dmp

Filesize
208KB

Download
memory/3328-121-0x0000000004BC3000-0x0000000004BC4000-memory.dmp

Filesize
4KB

Download
memory/3328-120-0x0000000004BC2000-0x0000000004BC3000-memory.dmp

Filesize
4KB

Download
memory/3328-122-0x0000000004BD0000-0x00000000050CE000-memory.dmp

Filesize
5.0MB

Download
memory/3328-123-0x00000000025A0000-0x00000000025D2000-memory.dmp

Filesize
200KB

Download
memory/3328-124-0x00000000050D0000-0x00000000056D6000-memory.dmp

Filesize
6.0MB

Download
memory/3328-125-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

Filesize
72KB

Download
memory/3328-126-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/3328-127-0x0000000004B40000-0x0000000004B7E000-memory.dmp

Filesize
248KB

Download
memory/3328-128-0x0000000004BC4000-0x0000000004BC6000-memory.dmp

Filesize
8KB

Download
memory/3328-129-0x00000000057F0000-0x000000000583B000-memory.dmp

Filesize
300KB

Download
memory/3328-130-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/3328-131-0x0000000006110000-0x0000000006186000-memory.dmp

Filesize
472KB

Download
memory/3328-132-0x00000000061C0000-0x0000000006252000-memory.dmp

Filesize
584KB

Download
memory/3328-133-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/3328-134-0x00000000064E0000-0x00000000066A2000-memory.dmp

Filesize
1.8MB

Download
memory/3328-135-0x00000000066B0000-0x0000000006BDC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing