redline | e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106

General

Target

e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106.exe
Size

368KB
MD5

f438b6e83d33887f0ca3d3343b5b6ad5
SHA1

cfd3abf4d90da0d8c67104a4de1ba42327c7cafd
SHA256

e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106
SHA512

25fe7e4dd3a9fb76cf2e729129d6ea4b950329f537566fe50a9db61289fba232636fcfa1334b9cd97fd43411eeefb42f3674c25a7ac14096910dfc6b8a7b012d

Score

10^/10

redline 50n discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

50n

C2

193.106.191.190:23196

Attributes

auth_value
d61a9ba1568b3b8e34c959aa0f254969

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4016	e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106.exe
4016	e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106.exe

C:\Users\Admin\AppData\Local\Temp\e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106.exe
"C:\Users\Admin\AppData\Local\Temp\e014d13454f28df109de9994db961e3b2e8ddcc0e2eb493087c1870e0bd3e106.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4016-116-0x0000000000793000-0x00000000007BD000-memory.dmp

Filesize
168KB

Download
memory/4016-117-0x0000000000730000-0x0000000000767000-memory.dmp

Filesize
220KB

Download
memory/4016-118-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4016-119-0x0000000002460000-0x0000000002490000-memory.dmp

Filesize
192KB

Download
memory/4016-120-0x0000000004D60000-0x000000000525E000-memory.dmp

Filesize
5.0MB

Download
memory/4016-121-0x0000000002630000-0x000000000265E000-memory.dmp

Filesize
184KB

Download
memory/4016-122-0x0000000005260000-0x0000000005866000-memory.dmp

Filesize
6.0MB

Download
memory/4016-123-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/4016-124-0x0000000004C30000-0x0000000004D3A000-memory.dmp

Filesize
1.0MB

Download
memory/4016-125-0x0000000005870000-0x00000000058AE000-memory.dmp

Filesize
248KB

Download
memory/4016-126-0x00000000058F0000-0x000000000593B000-memory.dmp

Filesize
300KB

Download
memory/4016-127-0x0000000005B80000-0x0000000005BF6000-memory.dmp

Filesize
472KB

Download
memory/4016-128-0x0000000005C00000-0x0000000005C92000-memory.dmp

Filesize
584KB

Download
memory/4016-129-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

Filesize
120KB

Download
memory/4016-130-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/4016-131-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/4016-132-0x0000000006880000-0x0000000006DAC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing