redline | 2ff94580df6875ef9c21d9ded17ebbb14738822eb447c11014d21d26f4aa5e08

Analysis

max time kernel
55s
max time network
59s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-08-2022 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3b0ebb5f35fecb8c30b314fd571c76f.exe
Size

107KB
MD5

d3b0ebb5f35fecb8c30b314fd571c76f
SHA1

905316a9ecbf93ec9b3869aee1f5776d4ab01dcb
SHA256

2ff94580df6875ef9c21d9ded17ebbb14738822eb447c11014d21d26f4aa5e08
SHA512

553e13e572af4e3cf8a977e9caffb9fb0117726fa1094286e184b73a83f917024034c6d5ba75e50a6069fccac2d5f0546ab2bc0e19170fa8445c82cc2e88704a
SSDEEP

3072:TcvFBBCY2pieIhrY7foJm5PQcfxjdjhd4EASNX:Tcvf7aoJkYcTjhd4jS

Score

10^/10

redline top1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

top1

185.2.83.247:80

Attributes

auth_value
fa2afa98a6579319e36e31ee0552bd57

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1508-54-0x00000000009C0000-0x00000000009E0000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d3b0ebb5f35fecb8c30b314fd571c76f.exe

pid process

1508 d3b0ebb5f35fecb8c30b314fd571c76f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d3b0ebb5f35fecb8c30b314fd571c76f.exe

description pid process

Token: SeDebugPrivilege 1508 d3b0ebb5f35fecb8c30b314fd571c76f.exe

pid	process
1508	d3b0ebb5f35fecb8c30b314fd571c76f.exe

description	pid	process
Token: SeDebugPrivilege	1508	d3b0ebb5f35fecb8c30b314fd571c76f.exe

C:\Users\Admin\AppData\Local\Temp\d3b0ebb5f35fecb8c30b314fd571c76f.exe
"C:\Users\Admin\AppData\Local\Temp\d3b0ebb5f35fecb8c30b314fd571c76f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-54-0x00000000009C0000-0x00000000009E0000-memory.dmp

Filesize
128KB

Download
memory/1508-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download