redline | 8ecb54b5053ede30c8a1fbceaa3f174ea0e6dc30c93a6ceb72a42b5662acbdc8

General

Target

488d80f57c640f09f3cc27ed6acc8a31.exe
Size

443KB
MD5

488d80f57c640f09f3cc27ed6acc8a31
SHA1

8b82803da61b9a524787daf45beda0c7ca1f3663
SHA256

8ecb54b5053ede30c8a1fbceaa3f174ea0e6dc30c93a6ceb72a42b5662acbdc8
SHA512

cdda2d71e60b2fd3689b4549708928f65d6ce6b25c4b30fdb9b3cd0647c6d2c226191f74fbfc0d2e1d4d654ed0325ce885bcf4a04e67d29198eb00d3110771c2

Score

10^/10

redline noname discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:20819

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3500-116-0x0000000002560000-0x0000000002594000-memory.dmp	family_redline
behavioral2/memory/3500-118-0x00000000025E0000-0x0000000002612000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

488d80f57c640f09f3cc27ed6acc8a31.exe

description pid process

Token: SeDebugPrivilege 3500 488d80f57c640f09f3cc27ed6acc8a31.exe

description	pid	process
Token: SeDebugPrivilege	3500	488d80f57c640f09f3cc27ed6acc8a31.exe

C:\Users\Admin\AppData\Local\Temp\488d80f57c640f09f3cc27ed6acc8a31.exe
"C:\Users\Admin\AppData\Local\Temp\488d80f57c640f09f3cc27ed6acc8a31.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3500-115-0x0000000000850000-0x0000000000893000-memory.dmp

Filesize
268KB

Download
memory/3500-116-0x0000000002560000-0x0000000002594000-memory.dmp

Filesize
208KB

Download
memory/3500-117-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/3500-118-0x00000000025E0000-0x0000000002612000-memory.dmp

Filesize
200KB

Download
memory/3500-119-0x00000000021F0000-0x0000000002229000-memory.dmp

Filesize
228KB

Download
memory/3500-120-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3500-122-0x0000000002552000-0x0000000002553000-memory.dmp

Filesize
4KB

Download
memory/3500-121-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3500-123-0x0000000002553000-0x0000000002554000-memory.dmp

Filesize
4KB

Download
memory/3500-124-0x00000000050A0000-0x00000000056A6000-memory.dmp

Filesize
6.0MB

Download
memory/3500-125-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/3500-126-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/3500-127-0x00000000058B0000-0x00000000058EE000-memory.dmp

Filesize
248KB

Download
memory/3500-128-0x0000000002530000-0x0000000002556000-memory.dmp

Filesize
152KB

Download
memory/3500-129-0x0000000005900000-0x000000000594B000-memory.dmp

Filesize
300KB

Download
memory/3500-130-0x0000000005AA0000-0x0000000005B16000-memory.dmp

Filesize
472KB

Download
memory/3500-131-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/3500-132-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/3500-133-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/3500-134-0x00000000065B0000-0x0000000006772000-memory.dmp

Filesize
1.8MB

Download
memory/3500-135-0x0000000006780000-0x0000000006CAC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing