redline | d5d3955dafe311670cc04160848219c88dfefb3b24ffad57c4def516d9cf8cb3

General

Target

928e275860e9c07e7514c31880bb6561.exe
Size

443KB
MD5

928e275860e9c07e7514c31880bb6561
SHA1

25d6ea860b9bc71eda50ce7df06127a2431cebf4
SHA256

d5d3955dafe311670cc04160848219c88dfefb3b24ffad57c4def516d9cf8cb3
SHA512

9ddc12cffc5f96df40d18921905c3fc095197b63274fd9a0320e8e481484c5cf2b589fb6b0d4ba674f99f46a4aedb19f431f272b57a63a5624fd30778ef6aa6d

Score

10^/10

redline noname discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:20819

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3552-115-0x0000000002320000-0x0000000002354000-memory.dmp	family_redline
behavioral2/memory/3552-121-0x0000000002730000-0x0000000002762000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

928e275860e9c07e7514c31880bb6561.exe

description pid process

Token: SeDebugPrivilege 3552 928e275860e9c07e7514c31880bb6561.exe

description	pid	process
Token: SeDebugPrivilege	3552	928e275860e9c07e7514c31880bb6561.exe

C:\Users\Admin\AppData\Local\Temp\928e275860e9c07e7514c31880bb6561.exe
"C:\Users\Admin\AppData\Local\Temp\928e275860e9c07e7514c31880bb6561.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3552-115-0x0000000002320000-0x0000000002354000-memory.dmp

Filesize
208KB

Download
memory/3552-116-0x0000000000600000-0x0000000000639000-memory.dmp

Filesize
228KB

Download
memory/3552-117-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/3552-118-0x00000000024F2000-0x00000000024F3000-memory.dmp

Filesize
4KB

Download
memory/3552-119-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/3552-120-0x0000000004C60000-0x000000000515E000-memory.dmp

Filesize
5.0MB

Download
memory/3552-121-0x0000000002730000-0x0000000002762000-memory.dmp

Filesize
200KB

Download
memory/3552-122-0x00000000024F3000-0x00000000024F4000-memory.dmp

Filesize
4KB

Download
memory/3552-123-0x0000000005160000-0x0000000005766000-memory.dmp

Filesize
6.0MB

Download
memory/3552-124-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/3552-125-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/3552-126-0x00000000058B0000-0x00000000058EE000-memory.dmp

Filesize
248KB

Download
memory/3552-127-0x0000000002490000-0x00000000024F6000-memory.dmp

Filesize
408KB

Download
memory/3552-128-0x0000000005900000-0x000000000594B000-memory.dmp

Filesize
300KB

Download
memory/3552-129-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3552-130-0x0000000006260000-0x00000000062D6000-memory.dmp

Filesize
472KB

Download
memory/3552-131-0x00000000062E0000-0x0000000006372000-memory.dmp

Filesize
584KB

Download
memory/3552-132-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/3552-133-0x0000000006620000-0x00000000067E2000-memory.dmp

Filesize
1.8MB

Download
memory/3552-134-0x00000000067F0000-0x0000000006D1C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing