redline | 2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7

General

Target

2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe
Size

1.7MB
MD5

6682e8026bf41367710e90514205b756
SHA1

d0cf2f9bf38109840172d88ba11db803d8bd1bc3
SHA256

2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7
SHA512

3bffb3c860f4dac65de11a58d2858b98d04404bd9a4e4236e2ffe0fe1821cc7974170e063aab351aa315be55fbfc7f787ecd44c8d8a218a95e640175e5592248

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3500-118-0x0000000000D50000-0x0000000000EED000-memory.dmp	family_redline
behavioral1/memory/3500-123-0x0000000000D50000-0x0000000000EED000-memory.dmp	family_redline
behavioral1/memory/3500-124-0x0000000000D50000-0x0000000000EED000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

pid process

3500 2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

pid	process
3500	2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe
3500	2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe
3500	2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

description pid process

Token: SeDebugPrivilege 3500 2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

description	pid	process
Token: SeDebugPrivilege	3500	2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe

C:\Users\Admin\AppData\Local\Temp\2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe
"C:\Users\Admin\AppData\Local\Temp\2d6c4142c93b3a5b6644c32c472ab73046504e8ee54f9e5f439bdb01b61aead7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3500-118-0x0000000000D50000-0x0000000000EED000-memory.dmp

Filesize
1.6MB

Download
memory/3500-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3500-120-0x00000000762F0000-0x00000000764B2000-memory.dmp

Filesize
1.8MB

Download
memory/3500-121-0x0000000000C50000-0x0000000000C94000-memory.dmp

Filesize
272KB

Download
memory/3500-122-0x0000000075630000-0x0000000075721000-memory.dmp

Filesize
964KB

Download
memory/3500-123-0x0000000000D50000-0x0000000000EED000-memory.dmp

Filesize
1.6MB

Download
memory/3500-124-0x0000000000D50000-0x0000000000EED000-memory.dmp

Filesize
1.6MB

Download
memory/3500-125-0x0000000071B10000-0x0000000071B90000-memory.dmp

Filesize
512KB

Download
memory/3500-126-0x0000000076A40000-0x0000000076FC4000-memory.dmp

Filesize
5.5MB

Download
memory/3500-128-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3500-127-0x0000000073EA0000-0x00000000751E8000-memory.dmp

Filesize
19.3MB

Download
memory/3500-129-0x0000000005440000-0x0000000005A46000-memory.dmp

Filesize
6.0MB

Download
memory/3500-130-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/3500-131-0x0000000004F40000-0x000000000504A000-memory.dmp

Filesize
1.0MB

Download
memory/3500-132-0x0000000004E30000-0x0000000004E6E000-memory.dmp

Filesize
248KB

Download
memory/3500-133-0x0000000005220000-0x00000000053E2000-memory.dmp

Filesize
1.8MB

Download
memory/3500-134-0x0000000004E70000-0x0000000004EBB000-memory.dmp

Filesize
300KB

Download
memory/3500-135-0x0000000071780000-0x00000000717CB000-memory.dmp

Filesize
300KB

Download
memory/3500-136-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/3500-137-0x0000000005CD0000-0x0000000005D62000-memory.dmp

Filesize
584KB

Download
memory/3500-138-0x0000000006420000-0x0000000006496000-memory.dmp

Filesize
472KB

Download
memory/3500-139-0x00000000069A0000-0x0000000006E9E000-memory.dmp

Filesize
5.0MB

Download
memory/3500-140-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/3500-141-0x0000000007E80000-0x00000000083AC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing