redline | 308fcf160e8a3e3956eae1a8a2285d06813dd879104601e884b5af4c960ca82a

Analysis

max time kernel
47s
max time network
51s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-06-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe
Size

106KB
MD5

a46648b2dd6e96562b144ae36956f123
SHA1

caa5d0f31b1dcc21e2267a2b240d35e1c7ce769a
SHA256

308fcf160e8a3e3956eae1a8a2285d06813dd879104601e884b5af4c960ca82a
SHA512

311fd32bd11758d72be1324666bc8e504682e48095698cef6d65ced0422a53f636fbf4cb66348f37e945fb043cf590a57b368a64d9516e47bb04b1a53e56ec52

Score

10^/10

redline 10 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

179.43.154.136:6001

Attributes

auth_value
d695bfb18b65b93b53b6583424227f3c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1512-54-0x0000000000B20000-0x0000000000B40000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe

pid process

1512 308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe

description pid process

Token: SeDebugPrivilege 1512 308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe

pid	process
1512	308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe

description	pid	process
Token: SeDebugPrivilege	1512	308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe

C:\Users\Admin\AppData\Local\Temp\308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe
"C:\Users\Admin\AppData\Local\Temp\308FCF160E8A3E3956EAE1A8A2285D06813DD87910460.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-54-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/1512-55-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download