redline | ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c

General

Target

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe
Size

380KB
MD5

3490d8c4ddf715b103e851fff227c3eb
SHA1

6e456f5f062801c8a4130a94c21e2126b12fe033
SHA256

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c
SHA512

fa9421f9dc37773c8f0dc1592a6db4eee1b85d931c7aaf84e98a3c68f9ba76e84bdd394758ba1654d076b5bd9b84ff203ddbafdfe6c60eb14e370adc26fd64f6

Score

10^/10

redline noname discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:20819

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3152-118-0x00000000024B0000-0x00000000024E4000-memory.dmp	family_redline
behavioral1/memory/3152-123-0x0000000004B10000-0x0000000004B42000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

description pid process

Token: SeDebugPrivilege 3152 ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

description	pid	process
Token: SeDebugPrivilege	3152	ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe

C:\Users\Admin\AppData\Local\Temp\ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe
"C:\Users\Admin\AppData\Local\Temp\ea0c8c8f4ae1cb9a60f8fe532d9effa61a8fcec8ca0ca8b231fa73f2d5408c3c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3152-116-0x0000000002090000-0x00000000020C9000-memory.dmp

Filesize
228KB

Download
memory/3152-117-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3152-118-0x00000000024B0000-0x00000000024E4000-memory.dmp

Filesize
208KB

Download
memory/3152-119-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/3152-120-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3152-121-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

Filesize
4KB

Download
memory/3152-122-0x0000000004CC3000-0x0000000004CC4000-memory.dmp

Filesize
4KB

Download
memory/3152-123-0x0000000004B10000-0x0000000004B42000-memory.dmp

Filesize
200KB

Download
memory/3152-124-0x00000000051D0000-0x00000000057D6000-memory.dmp

Filesize
6.0MB

Download
memory/3152-125-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Filesize
72KB

Download
memory/3152-126-0x00000000057E0000-0x00000000058EA000-memory.dmp

Filesize
1.0MB

Download
memory/3152-127-0x0000000004CC4000-0x0000000004CC6000-memory.dmp

Filesize
8KB

Download
memory/3152-128-0x0000000004C50000-0x0000000004C8E000-memory.dmp

Filesize
248KB

Download
memory/3152-129-0x00000000058F0000-0x000000000593B000-memory.dmp

Filesize
300KB

Download
memory/3152-130-0x0000000005B70000-0x0000000005BE6000-memory.dmp

Filesize
472KB

Download
memory/3152-131-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/3152-132-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/3152-133-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/3152-134-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/3152-135-0x0000000006770000-0x0000000006C9C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing