redline | b5a4254a37a9af864bb7f3ed14fd67b704b652e9a959cf5e6fabeeeb8cf6174a

General

Target

c36a7de7c2857e901d1fc1c0af9f6682.exe
Size

888KB
MD5

c36a7de7c2857e901d1fc1c0af9f6682
SHA1

414740b4583f033d48c64b6494680d8c031a4632
SHA256

b5a4254a37a9af864bb7f3ed14fd67b704b652e9a959cf5e6fabeeeb8cf6174a
SHA512

664926d78e7360dc3309e62849a3799f511510fea4d241b5972e00e8e3e7c324b4100c5ec56a98d42d4cb24fa3c146bf472e8eda73c12bdc517e0abfdc076994

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3704-119-0x0000000000BC0000-0x0000000000C9D000-memory.dmp	family_redline
behavioral2/memory/3704-120-0x0000000000BC0000-0x0000000000C9D000-memory.dmp	family_redline
behavioral2/memory/3704-124-0x0000000000BC0000-0x0000000000C9D000-memory.dmp	family_redline
behavioral2/memory/3704-125-0x0000000000BC0000-0x0000000000C9D000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

c36a7de7c2857e901d1fc1c0af9f6682.exe

pid process

3704 c36a7de7c2857e901d1fc1c0af9f6682.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

c36a7de7c2857e901d1fc1c0af9f6682.exe

pid process

3704 c36a7de7c2857e901d1fc1c0af9f6682.exe
3704 c36a7de7c2857e901d1fc1c0af9f6682.exe
3704 c36a7de7c2857e901d1fc1c0af9f6682.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c36a7de7c2857e901d1fc1c0af9f6682.exe

description pid process

Token: SeDebugPrivilege 3704 c36a7de7c2857e901d1fc1c0af9f6682.exe

pid	process
3704	c36a7de7c2857e901d1fc1c0af9f6682.exe

pid	process
3704	c36a7de7c2857e901d1fc1c0af9f6682.exe
3704	c36a7de7c2857e901d1fc1c0af9f6682.exe
3704	c36a7de7c2857e901d1fc1c0af9f6682.exe

description	pid	process
Token: SeDebugPrivilege	3704	c36a7de7c2857e901d1fc1c0af9f6682.exe

C:\Users\Admin\AppData\Local\Temp\c36a7de7c2857e901d1fc1c0af9f6682.exe
"C:\Users\Admin\AppData\Local\Temp\c36a7de7c2857e901d1fc1c0af9f6682.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3704-118-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/3704-119-0x0000000000BC0000-0x0000000000C9D000-memory.dmp

Filesize
884KB

Download
memory/3704-120-0x0000000000BC0000-0x0000000000C9D000-memory.dmp

Filesize
884KB

Download
memory/3704-121-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3704-122-0x00000000766E0000-0x00000000768A2000-memory.dmp

Filesize
1.8MB

Download
memory/3704-123-0x00000000764E0000-0x00000000765D1000-memory.dmp

Filesize
964KB

Download
memory/3704-124-0x0000000000BC0000-0x0000000000C9D000-memory.dmp

Filesize
884KB

Download
memory/3704-125-0x0000000000BC0000-0x0000000000C9D000-memory.dmp

Filesize
884KB

Download
memory/3704-126-0x0000000071CD0000-0x0000000071D50000-memory.dmp

Filesize
512KB

Download
memory/3704-128-0x0000000005FE0000-0x00000000065E6000-memory.dmp

Filesize
6.0MB

Download
memory/3704-127-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3704-129-0x00000000031A0000-0x00000000031B2000-memory.dmp

Filesize
72KB

Download
memory/3704-130-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/3704-131-0x0000000005930000-0x000000000596E000-memory.dmp

Filesize
248KB

Download
memory/3704-132-0x0000000005DC0000-0x0000000005F82000-memory.dmp

Filesize
1.8MB

Download
memory/3704-133-0x00000000741F0000-0x0000000074774000-memory.dmp

Filesize
5.5MB

Download
memory/3704-134-0x0000000074F00000-0x0000000076248000-memory.dmp

Filesize
19.3MB

Download
memory/3704-135-0x00000000059D0000-0x0000000005A1B000-memory.dmp

Filesize
300KB

Download
memory/3704-136-0x000000006FF20000-0x000000006FF6B000-memory.dmp

Filesize
300KB

Download
memory/3704-137-0x0000000006CF0000-0x00000000071EE000-memory.dmp

Filesize
5.0MB

Download
memory/3704-138-0x0000000006860000-0x00000000068C6000-memory.dmp

Filesize
408KB

Download
memory/3704-139-0x0000000006950000-0x00000000069C6000-memory.dmp

Filesize
472KB

Download
memory/3704-140-0x0000000006A70000-0x0000000006B02000-memory.dmp

Filesize
584KB

Download
memory/3704-141-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/3704-142-0x0000000006C10000-0x0000000006C60000-memory.dmp

Filesize
320KB

Download
memory/3704-143-0x00000000085D0000-0x0000000008AFC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing