redline | 88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779

General

Target

88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe
Size

416KB
MD5

3f9fa9eda535e8bbba665fb4466fd64d
SHA1

50737150378d24054642505217458cd33de9e36e
SHA256

88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779
SHA512

413d9a05088c3bcf4bb1dcea6e4f2e09c9f99c920dbba883ed0e8715694a8baaa1034a2ab7a77c50c679e1565fb2ea85931f85c5fec0eb6c64474c971a588772

Score

10^/10

redline ruzkiunikalno discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RuzkiUNIKALNO

C2

193.233.48.58:38989

Attributes

auth_value
c504b04cfbdd4bf85ce6195bcb37fba6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4016-121-0x0000000002380000-0x00000000023B4000-memory.dmp	family_redline
behavioral1/memory/4016-123-0x0000000002810000-0x0000000002844000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe

description pid process

Token: SeDebugPrivilege 4016 88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe

description	pid	process
Token: SeDebugPrivilege	4016	88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe

C:\Users\Admin\AppData\Local\Temp\88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe
"C:\Users\Admin\AppData\Local\Temp\88273d6853a74113616beb04d419eaae786646e358aa158d8f204890f385c779.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4016-118-0x00000000004B0000-0x00000000005FA000-memory.dmp

Filesize
1.3MB

Download
memory/4016-119-0x00000000020D0000-0x000000000210A000-memory.dmp

Filesize
232KB

Download
memory/4016-120-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4016-121-0x0000000002380000-0x00000000023B4000-memory.dmp

Filesize
208KB

Download
memory/4016-122-0x0000000004D30000-0x000000000522E000-memory.dmp

Filesize
5.0MB

Download
memory/4016-123-0x0000000002810000-0x0000000002844000-memory.dmp

Filesize
208KB

Download
memory/4016-124-0x0000000005230000-0x0000000005836000-memory.dmp

Filesize
6.0MB

Download
memory/4016-125-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4016-126-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/4016-127-0x0000000004C80000-0x0000000004CBE000-memory.dmp

Filesize
248KB

Download
memory/4016-128-0x0000000005950000-0x000000000599B000-memory.dmp

Filesize
300KB

Download
memory/4016-129-0x0000000005BB0000-0x0000000005C26000-memory.dmp

Filesize
472KB

Download
memory/4016-130-0x0000000005CA0000-0x0000000005D32000-memory.dmp

Filesize
584KB

Download
memory/4016-131-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/4016-132-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4016-133-0x00000000065C0000-0x0000000006782000-memory.dmp

Filesize
1.8MB

Download
memory/4016-134-0x00000000067B0000-0x0000000006CDC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing