Behavioral Report

General

Target

84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe
Size

407KB
MD5

4c3394cc1e57b8d6ca1b3a087d05909f
SHA1

b15397cb1c3a556babf5e93032c78f346ddcbd5f
SHA256

84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3
SHA512

62d377c4c7cf9c7e264e0b5a98cae87fba5c7ddc3fb67f9478102883fb3d420dfe04062e6572a2f2e8ab48a0ab4606ccecd24243fa6eab875e16ad493699bf53

Score

10^/10

redline test1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

185.215.113.75:80

Attributes

auth_value
7ab4a4e2eae9eb7ae10f64f68df53bb3

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe

pid process

3588 84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe

description pid process

Token: SeDebugPrivilege 3588 84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe

pid	process
3588	84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe

description	pid	process
Token: SeDebugPrivilege	3588	84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe

C:\Users\Admin\AppData\Local\Temp\84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe
"C:\Users\Admin\AppData\Local\Temp\84d9e912e24a27aa3b4f77f75c3817594f188bd3f0fc3edf9f4669e65b5755b3.exe"
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

00:00 00:00

Downloads

memory/3588-120-0x00000000021C0000-0x00000000021F0000-memory.dmp

Filesize
192KB

Download
memory/3588-121-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1MB

Download
memory/3588-122-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1MB

Download
memory/3588-123-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/3588-124-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
4MB

Download
memory/3588-125-0x0000000002540000-0x000000000256E000-memory.dmp

Filesize
184KB

Download
memory/3588-126-0x0000000005200000-0x0000000005806000-memory.dmp

Filesize
6MB

Download
memory/3588-127-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3588-128-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1MB

Download
memory/3588-129-0x0000000004C40000-0x0000000004C7E000-memory.dmp

Filesize
248KB

Download
memory/3588-130-0x0000000005920000-0x000000000596B000-memory.dmp

Filesize
300KB

Download
memory/3588-131-0x0000000006660000-0x00000000066C6000-memory.dmp

Filesize
408KB

Download
memory/3588-132-0x00000000069A0000-0x0000000006A16000-memory.dmp

Filesize
472KB

Download
memory/3588-133-0x0000000006A80000-0x0000000006B12000-memory.dmp

Filesize
584KB

Download
memory/3588-134-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/3588-135-0x0000000006D90000-0x0000000006F52000-memory.dmp

Filesize
1MB

Download
memory/3588-136-0x0000000006F60000-0x000000000748C000-memory.dmp

Filesize
5MB

Download

Analysis

Sharing