redline | 2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
09-03-2022 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1597323acab489ee1798a38278a08b2f.exe
Size

102KB
MD5

1597323acab489ee1798a38278a08b2f
SHA1

a585e9913d39f48ed7dc1a294f69de5d9466fff2
SHA256

2d82e375212398a13c0f1af63384143534ceaeacfe0afd9f316bd7a497d7ac88
SHA512

a0f34b63fd39423b2bd3a8869e8a1216e9e4056b58686405e1d66c54661586b40df353e9ffc04fde0b6e6c180fd6fe33c4f7d46b2aae4c9932116a10e4ae92cb

Score

10^/10

redline 1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

138.124.180.81:6482

Attributes

auth_value
16a2d7f0fda0ec607bf6663d787829ef

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/744-56-0x0000000000AC0000-0x0000000000AE0000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1597323acab489ee1798a38278a08b2f.exe

pid process

744 1597323acab489ee1798a38278a08b2f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1597323acab489ee1798a38278a08b2f.exe

description pid process

Token: SeDebugPrivilege 744 1597323acab489ee1798a38278a08b2f.exe

pid	process
744	1597323acab489ee1798a38278a08b2f.exe

description	pid	process
Token: SeDebugPrivilege	744	1597323acab489ee1798a38278a08b2f.exe

C:\Users\Admin\AppData\Local\Temp\1597323acab489ee1798a38278a08b2f.exe
"C:\Users\Admin\AppData\Local\Temp\1597323acab489ee1798a38278a08b2f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-55-0x0000000074890000-0x0000000074F7E000-memory.dmp

Filesize
6.9MB

Download
memory/744-56-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

Filesize
128KB

Download
memory/744-57-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download