redline | 5bdc99834bb593ed40414902672683b1ffa778115150641c02518ea7244075ac

Analysis

max time kernel
41s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 07:36

Target

3d5ca98b8fd257c263dee31cf88c8375.exe
Size

199KB
MD5

3d5ca98b8fd257c263dee31cf88c8375
SHA1

435178d2cd7bdf2eeab445531e25791cdf613ef0
SHA256

5bdc99834bb593ed40414902672683b1ffa778115150641c02518ea7244075ac
SHA512

171825e914f90605f4c84ee2c3807aed0ac6688ed32bfb49569d3b20f84c859c2cf645b12675053ae8be238c9750ca84b0866dbc3f925b42a62fe3600edec0c2
SSDEEP

6144:pzs6pvOcf/UKr6t9YgW2gVDLs0bG1LmqJGe:pzdhhfSzYRNDLsLlm

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/112-55-0x00000000003E0000-0x0000000000440000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
112	3d5ca98b8fd257c263dee31cf88c8375.exe
112	3d5ca98b8fd257c263dee31cf88c8375.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	3d5ca98b8fd257c263dee31cf88c8375.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/112-54-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/112-55-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/112-56-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/112-57-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download