redline | 627bc1e4c25d56aa3b16ec1ec8f98a2ff24d9ac18ef32c2dd59d1ea46f00e576

General

Target

19d19b66faa339c96638e68887fcbc27.exe
Size

444KB
MD5

19d19b66faa339c96638e68887fcbc27
SHA1

9239a9f1af64746834e7a4de54e442e44976eb87
SHA256

627bc1e4c25d56aa3b16ec1ec8f98a2ff24d9ac18ef32c2dd59d1ea46f00e576
SHA512

95c75f960d7df9f336bbc473bb86e6e1ef7ece0b26358821c61ebec4be5c44302a66a40c2d90b7dd77787549d5343d2ad66e91fc4bb7c32922ae88b9e4162637

Score

10^/10

redline ruzkikakoyto discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

ruzkiKAKOYTO

C2

185.215.113.29:20819

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/676-118-0x0000000002470000-0x00000000024A4000-memory.dmp	family_redline
behavioral2/memory/676-121-0x00000000025A0000-0x00000000025D2000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

19d19b66faa339c96638e68887fcbc27.exe

description pid process

Token: SeDebugPrivilege 676 19d19b66faa339c96638e68887fcbc27.exe

description	pid	process
Token: SeDebugPrivilege	676	19d19b66faa339c96638e68887fcbc27.exe

C:\Users\Admin\AppData\Local\Temp\19d19b66faa339c96638e68887fcbc27.exe
"C:\Users\Admin\AppData\Local\Temp\19d19b66faa339c96638e68887fcbc27.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-115-0x0000000000670000-0x00000000006B4000-memory.dmp

Filesize
272KB

Download
memory/676-116-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/676-117-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/676-118-0x0000000002470000-0x00000000024A4000-memory.dmp

Filesize
208KB

Download
memory/676-119-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/676-120-0x0000000004C30000-0x000000000512E000-memory.dmp

Filesize
5.0MB

Download
memory/676-121-0x00000000025A0000-0x00000000025D2000-memory.dmp

Filesize
200KB

Download
memory/676-122-0x0000000002662000-0x0000000002663000-memory.dmp

Filesize
4KB

Download
memory/676-123-0x0000000002663000-0x0000000002664000-memory.dmp

Filesize
4KB

Download
memory/676-124-0x0000000005130000-0x0000000005736000-memory.dmp

Filesize
6.0MB

Download
memory/676-125-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/676-126-0x0000000005780000-0x000000000588A000-memory.dmp

Filesize
1.0MB

Download
memory/676-127-0x00000000025E0000-0x0000000002666000-memory.dmp

Filesize
536KB

Download
memory/676-128-0x00000000058B0000-0x00000000058EE000-memory.dmp

Filesize
248KB

Download
memory/676-129-0x0000000005900000-0x000000000594B000-memory.dmp

Filesize
300KB

Download
memory/676-130-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/676-131-0x0000000006240000-0x00000000062B6000-memory.dmp

Filesize
472KB

Download
memory/676-132-0x0000000006300000-0x0000000006392000-memory.dmp

Filesize
584KB

Download
memory/676-133-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/676-134-0x0000000006620000-0x00000000067E2000-memory.dmp

Filesize
1.8MB

Download
memory/676-135-0x00000000067F0000-0x0000000006D1C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing