redline | 16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989

General

Target

16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989.exe
Size

440KB
MD5

3ca4082c1caf79ec63f6dad29fef9023
SHA1

4b219e86c9c4aec04b4b254848e93446e7576f09
SHA256

16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989
SHA512

a64e7df6a0e0ea8464c93d48b08cdff472ddab5dd1a43314f4f1b5cdbe76271a450ff35278d2e15dd927e9ea3d3e3424218e45f455c03bdc5244891299fb0924

Score

10^/10

redline ruzkikakoyto discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

ruzkiKAKOYTO

C2

185.215.113.29:20819

Attributes

auth_value
44e87155dd7a4d1957a956ed040ff3fd

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1520-115-0x0000000002930000-0x0000000002964000-memory.dmp	family_redline
behavioral1/memory/1520-118-0x0000000004F20000-0x0000000004F52000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989.exe

description pid process

Token: SeDebugPrivilege 1520 16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989.exe

description	pid	process
Token: SeDebugPrivilege	1520	16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989.exe

C:\Users\Admin\AppData\Local\Temp\16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989.exe
"C:\Users\Admin\AppData\Local\Temp\16ccbb0d0f4e2c4ea94f282f38e84ef2fefd4115607f0445a0b0f72a8f607989.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-115-0x0000000002930000-0x0000000002964000-memory.dmp

Filesize
208KB

Download
memory/1520-116-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/1520-118-0x0000000004F20000-0x0000000004F52000-memory.dmp

Filesize
200KB

Download
memory/1520-117-0x000000000089A000-0x00000000008C6000-memory.dmp

Filesize
176KB

Download
memory/1520-119-0x0000000000A00000-0x0000000000A39000-memory.dmp

Filesize
228KB

Download
memory/1520-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-121-0x0000000072F8E000-0x0000000072F8F000-memory.dmp

Filesize
4KB

Download
memory/1520-122-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1520-123-0x00000000050A2000-0x00000000050A3000-memory.dmp

Filesize
4KB

Download
memory/1520-124-0x00000000050A3000-0x00000000050A4000-memory.dmp

Filesize
4KB

Download
memory/1520-125-0x0000000005BC0000-0x00000000061C6000-memory.dmp

Filesize
6.0MB

Download
memory/1520-126-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/1520-127-0x00000000055B0000-0x00000000056BA000-memory.dmp

Filesize
1.0MB

Download
memory/1520-128-0x0000000005050000-0x000000000508E000-memory.dmp

Filesize
248KB

Download
memory/1520-129-0x00000000050A4000-0x00000000050A6000-memory.dmp

Filesize
8KB

Download
memory/1520-130-0x00000000056C0000-0x000000000570B000-memory.dmp

Filesize
300KB

Download
memory/1520-131-0x0000000005860000-0x00000000058D6000-memory.dmp

Filesize
472KB

Download
memory/1520-132-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/1520-133-0x00000000061D0000-0x00000000061EE000-memory.dmp

Filesize
120KB

Download
memory/1520-134-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/1520-135-0x0000000006990000-0x0000000006B52000-memory.dmp

Filesize
1.8MB

Download
memory/1520-136-0x0000000006B60000-0x000000000708C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing