redline | ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b

General

Target

ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe
Size

1.1MB
MD5

f2639eddc30173c0ac72c29d27b18c53
SHA1

43f19a7fdbadfee3072eef7efa396253ee2a251d
SHA256

ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b
SHA512

cb5acd9f3a229ee90d0328ecd23371c6be56f7958a34cf5ad3d2581bf9899e7ebe10f15191970bef9c9d520bc7f58b2c9e9edfee80777a531fb9975099538e2d

Score

10^/10

redline alltop discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

alltop

C2

deyneyab.xyz:80

Attributes

auth_value
6fadc2b44b16945c8f721b77e484a725

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/220-130-0x0000000000A80000-0x0000000000BBA000-memory.dmp	family_redline
behavioral1/memory/220-132-0x0000000000A80000-0x0000000000BBA000-memory.dmp	family_redline
behavioral1/memory/220-134-0x0000000000A82000-0x0000000000A9B000-memory.dmp	family_redline
behavioral1/memory/220-136-0x0000000000A82000-0x0000000000A9B000-memory.dmp	family_redline
behavioral1/memory/220-138-0x0000000000A80000-0x0000000000BBA000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

pid process

220 ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

pid	process
220	ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe
220	ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

description pid process

Token: SeDebugPrivilege 220 ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

description	pid	process
Token: SeDebugPrivilege	220	ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe

C:\Users\Admin\AppData\Local\Temp\ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe
"C:\Users\Admin\AppData\Local\Temp\ba7c122421ea694f82470b12b71146dc3be788d69e354891e78a9e40adab503b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/220-130-0x0000000000A80000-0x0000000000BBA000-memory.dmp

Filesize
1.2MB

Download
memory/220-131-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/220-132-0x0000000000A80000-0x0000000000BBA000-memory.dmp

Filesize
1.2MB

Download
memory/220-133-0x00000000026A0000-0x00000000026E6000-memory.dmp

Filesize
280KB

Download
memory/220-134-0x0000000000A82000-0x0000000000A9B000-memory.dmp

Filesize
100KB

Download
memory/220-135-0x00000000768B0000-0x0000000076AC5000-memory.dmp

Filesize
2.1MB

Download
memory/220-136-0x0000000000A82000-0x0000000000A9B000-memory.dmp

Filesize
100KB

Download
memory/220-137-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/220-138-0x0000000000A80000-0x0000000000BBA000-memory.dmp

Filesize
1.2MB

Download
memory/220-139-0x0000000073410000-0x0000000073499000-memory.dmp

Filesize
548KB

Download
memory/220-140-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/220-141-0x0000000076C50000-0x0000000077203000-memory.dmp

Filesize
5.7MB

Download
memory/220-142-0x0000000005740000-0x0000000005D58000-memory.dmp

Filesize
6.1MB

Download
memory/220-143-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/220-144-0x0000000005280000-0x000000000538A000-memory.dmp

Filesize
1.0MB

Download
memory/220-145-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/220-146-0x000000006EC20000-0x000000006EC6C000-memory.dmp

Filesize
304KB

Download
memory/220-147-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/220-148-0x0000000006370000-0x00000000063D6000-memory.dmp

Filesize
408KB

Download
memory/220-149-0x0000000006580000-0x00000000065F6000-memory.dmp

Filesize
472KB

Download
memory/220-150-0x00000000066A0000-0x0000000006732000-memory.dmp

Filesize
584KB

Download
memory/220-151-0x0000000006CF0000-0x0000000007294000-memory.dmp

Filesize
5.6MB

Download
memory/220-152-0x00000000069A0000-0x00000000069BE000-memory.dmp

Filesize
120KB

Download
memory/220-153-0x00000000072A0000-0x0000000007462000-memory.dmp

Filesize
1.8MB

Download
memory/220-154-0x00000000079A0000-0x0000000007ECC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing