redline | 1d4d968ac653a358c34887f148bd2a44d742252432fbf7000d379c709da1cdb6

General

Target

tmp.exe
Size

310KB
MD5

f920341ef1e2a7c9fb34a0d1c7f2baf2
SHA1

9e280bf23f975e229d2d7cfb3a0a9898cd884d70
SHA256

1d4d968ac653a358c34887f148bd2a44d742252432fbf7000d379c709da1cdb6
SHA512

6725a3a09b4028a0d7b4cf7c7cd1bd9ebec19be993f10a6d916c8f16882d22bf1fc2da0bb635128101429bdb537c5d6922d1368664d9643d6e42235c1b4be856

Score

10^/10

redline top discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

top

C2

185.215.113.75:81

Attributes

auth_value
ff6259bc2baf33b54b454aad484fb0ee

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exe

pid process

1472 tmp.exe
1472 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 1472 tmp.exe

pid	process
1472	tmp.exe
1472	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1472	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-54-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/1472-55-0x0000000000AAE000-0x0000000000AD7000-memory.dmp

Filesize
164KB

Download
memory/1472-56-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/1472-57-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1472-58-0x0000000000D20000-0x0000000000D4E000-memory.dmp

Filesize
184KB

Download
memory/1472-59-0x0000000072430000-0x00000000737BF000-memory.dmp

Filesize
19.6MB

Download
memory/1472-60-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1472-61-0x0000000070D00000-0x0000000071A1D000-memory.dmp

Filesize
13.1MB

Download
memory/1472-62-0x0000000070520000-0x0000000070D00000-memory.dmp

Filesize
7.9MB

Download
memory/1472-63-0x000000006F210000-0x000000007051F000-memory.dmp

Filesize
19.1MB

Download
memory/1472-64-0x000000006EF50000-0x000000006F20B000-memory.dmp

Filesize
2.7MB

Download
memory/1472-65-0x0000000073B80000-0x0000000073BA0000-memory.dmp

Filesize
128KB

Download
memory/1472-66-0x000000006E810000-0x000000006EF4E000-memory.dmp

Filesize
7.2MB

Download
memory/1472-67-0x0000000073AB0000-0x0000000073B79000-memory.dmp

Filesize
804KB

Download
memory/1472-68-0x00000000739B0000-0x0000000073AAC000-memory.dmp

Filesize
1008KB

Download
memory/1472-69-0x0000000071A20000-0x0000000072430000-memory.dmp

Filesize
10.1MB

Download
memory/1472-70-0x0000000073EC0000-0x0000000074054000-memory.dmp

Filesize
1.6MB

Download
memory/1472-71-0x0000000073BA0000-0x0000000073E88000-memory.dmp

Filesize
2.9MB

Download
memory/1472-72-0x000000006E240000-0x000000006E3CB000-memory.dmp

Filesize
1.5MB

Download
memory/1472-73-0x000000006E040000-0x000000006E0A3000-memory.dmp

Filesize
396KB

Download
memory/1472-74-0x000000006DF10000-0x000000006E033000-memory.dmp

Filesize
1.1MB

Download
memory/1472-75-0x0000000000AAE000-0x0000000000AD7000-memory.dmp

Filesize
164KB

Download
memory/1472-76-0x0000000071A20000-0x0000000072430000-memory.dmp

Filesize
10.1MB

Download
memory/1472-77-0x0000000073EC0000-0x0000000074054000-memory.dmp

Filesize
1.6MB

Download
memory/1472-78-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1472-79-0x000000006F210000-0x000000007051F000-memory.dmp

Filesize
19.1MB

Download
memory/1472-81-0x0000000070520000-0x0000000070D00000-memory.dmp

Filesize
7.9MB

Download
memory/1472-80-0x0000000072430000-0x00000000737BF000-memory.dmp

Filesize
19.6MB

Download
memory/1472-82-0x000000006EF50000-0x000000006F20B000-memory.dmp

Filesize
2.7MB

Download
memory/1472-86-0x000000006DF10000-0x000000006E033000-memory.dmp

Filesize
1.1MB

Download
memory/1472-85-0x0000000070D00000-0x0000000071A1D000-memory.dmp

Filesize
13.1MB

Download
memory/1472-84-0x0000000073AB0000-0x0000000073B79000-memory.dmp

Filesize
804KB

Download
memory/1472-83-0x000000006E810000-0x000000006EF4E000-memory.dmp

Filesize
7.2MB

Download
memory/1472-87-0x000000006CCE0000-0x000000006CFFB000-memory.dmp

Filesize
3.1MB

Download
memory/1472-88-0x000000006D000000-0x000000006DD56000-memory.dmp

Filesize
13.3MB

Download
memory/1472-89-0x000000006D000000-0x000000006DD56000-memory.dmp

Filesize
13.3MB

Download

Analysis

Sharing