redline | 658c80b50a869a944184ec4a46bcdb807cae0b08584d4554bdfa92167d8c8979

General

Target

6bb9767591f38267b3c94b20aa515d9c.exe
Size

1.0MB
MD5

6bb9767591f38267b3c94b20aa515d9c
SHA1

95827cd17f6e833d266a51ed5ba61e137da8970f
SHA256

658c80b50a869a944184ec4a46bcdb807cae0b08584d4554bdfa92167d8c8979
SHA512

dbdf1633af60b4c4aa2bfdcfb54905cf4921ff8d058966615121429f8216c6379f9fa7f5798d1790daab981dbc66bd73764f2a1192f36ef9046ce3085fb7e3cc

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1620-57-0x0000000001260000-0x0000000001348000-memory.dmp	family_redline
behavioral1/memory/1620-66-0x0000000001260000-0x0000000001348000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6bb9767591f38267b3c94b20aa515d9c.exe

pid process

1620 6bb9767591f38267b3c94b20aa515d9c.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6bb9767591f38267b3c94b20aa515d9c.exe

pid process

1620 6bb9767591f38267b3c94b20aa515d9c.exe
1620 6bb9767591f38267b3c94b20aa515d9c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6bb9767591f38267b3c94b20aa515d9c.exe

description pid process

Token: SeDebugPrivilege 1620 6bb9767591f38267b3c94b20aa515d9c.exe

pid	process
1620	6bb9767591f38267b3c94b20aa515d9c.exe

pid	process
1620	6bb9767591f38267b3c94b20aa515d9c.exe
1620	6bb9767591f38267b3c94b20aa515d9c.exe

description	pid	process
Token: SeDebugPrivilege	1620	6bb9767591f38267b3c94b20aa515d9c.exe

C:\Users\Admin\AppData\Local\Temp\6bb9767591f38267b3c94b20aa515d9c.exe
"C:\Users\Admin\AppData\Local\Temp\6bb9767591f38267b3c94b20aa515d9c.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-55-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1620-56-0x00000000753C0000-0x000000007540A000-memory.dmp

Filesize
296KB

Download
memory/1620-57-0x0000000001260000-0x0000000001348000-memory.dmp

Filesize
928KB

Download
memory/1620-59-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1620-61-0x0000000075870000-0x000000007591C000-memory.dmp

Filesize
688KB

Download
memory/1620-62-0x00000000773A0000-0x00000000773E7000-memory.dmp

Filesize
284KB

Download
memory/1620-63-0x0000000075640000-0x0000000075697000-memory.dmp

Filesize
348KB

Download
memory/1620-65-0x0000000076310000-0x000000007646C000-memory.dmp

Filesize
1.4MB

Download
memory/1620-66-0x0000000001260000-0x0000000001348000-memory.dmp

Filesize
928KB

Download
memory/1620-67-0x0000000076470000-0x00000000764FF000-memory.dmp

Filesize
572KB

Download
memory/1620-69-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1620-70-0x0000000076640000-0x000000007728A000-memory.dmp

Filesize
12.3MB

Download
memory/1620-71-0x0000000074270000-0x0000000074287000-memory.dmp

Filesize
92KB

Download
memory/1620-72-0x0000000077690000-0x00000000776C5000-memory.dmp

Filesize
212KB

Download
memory/1620-73-0x000000006EE80000-0x000000006EE9C000-memory.dmp

Filesize
112KB

Download
memory/1620-74-0x000000006EAA0000-0x000000006EAB5000-memory.dmp

Filesize
84KB

Download
memory/1620-75-0x000000006EAC0000-0x000000006EB12000-memory.dmp

Filesize
328KB

Download
memory/1620-76-0x000000006EA90000-0x000000006EA9D000-memory.dmp

Filesize
52KB

Download
memory/1620-77-0x00000000777A0000-0x00000000777B9000-memory.dmp

Filesize
100KB

Download
memory/1620-78-0x000000006E9E0000-0x000000006EA2F000-memory.dmp

Filesize
316KB

Download
memory/1620-79-0x000000006EA30000-0x000000006EA88000-memory.dmp

Filesize
352KB

Download
memory/1620-80-0x00000000755D0000-0x00000000755DC000-memory.dmp

Filesize
48KB

Download
memory/1620-82-0x0000000076610000-0x0000000076637000-memory.dmp

Filesize
156KB

Download
memory/1620-83-0x000000006EE20000-0x000000006EE64000-memory.dmp

Filesize
272KB

Download
memory/1620-84-0x000000006E860000-0x000000006E89D000-memory.dmp

Filesize
244KB

Download
memory/1620-85-0x0000000076500000-0x000000007650C000-memory.dmp

Filesize
48KB

Download
memory/1620-86-0x0000000075CB0000-0x0000000075DCD000-memory.dmp

Filesize
1.1MB

Download
memory/1620-87-0x0000000075280000-0x000000007528B000-memory.dmp

Filesize
44KB

Download
memory/1620-88-0x000000006E840000-0x000000006E857000-memory.dmp

Filesize
92KB

Download
memory/1620-89-0x000000006E8A0000-0x000000006E8D8000-memory.dmp

Filesize
224KB

Download
memory/1620-90-0x0000000074290000-0x00000000742A6000-memory.dmp

Filesize
88KB

Download
memory/1620-91-0x000000006D640000-0x000000006D7D0000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing