redline | 12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1

General

Target

12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe
Size

283KB
MD5

5daecaa4d170371d9688f8551346df5e
SHA1

2d2374b12c97632ddfe5130ac07c471d3e998b39
SHA256

12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1
SHA512

95d5991d6abe5b201c6c6c1fa733823a5f6437fc68646904dd1d59f4883c37be42e3d2e3d7c530a0fbbd53fe273148bef800f8eef853e25062332f9a47dbc03e
SSDEEP

6144:QJHzJ9V9+R5q7pVfBl9w6tUZGjEygUY6WJ:WHzhIkVpl9wwAeETLJ

Score

10^/10

redline fronx2 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

fronx2

C2

fronxtracking.com:80

Attributes

auth_value
0a4100df2644a6a6582137d2da2c8bd1

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-135-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-136-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-143-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-138-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-146-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-148-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-150-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-152-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-154-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-156-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-158-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-160-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-162-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-164-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-166-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-168-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-170-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-172-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-174-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-176-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-178-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-180-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-182-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-184-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-186-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-188-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-190-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-192-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-194-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-196-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-198-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-200-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-202-0x0000000004C20000-0x0000000004C72000-memory.dmp	family_redline
behavioral1/memory/1728-944-0x0000000004D30000-0x0000000004D40000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2000 1728 WerFault.exe 12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

pid	pid_target	process	target process
2000	1728	WerFault.exe	12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

pid	process
1728	12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe
1728	12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

description pid process

Token: SeDebugPrivilege 1728 12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

description	pid	process
Token: SeDebugPrivilege	1728	12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe

C:\Users\Admin\AppData\Local\Temp\12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe
"C:\Users\Admin\AppData\Local\Temp\12dc6f5ac9ca2d28ebf75778155f704f33cdff13dc05c462bc7a1ee44d71f2c1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1292
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1728 -ip 1728
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-134-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/1728-135-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-136-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-139-0x0000000002120000-0x0000000002182000-memory.dmp

Filesize
392KB

Download
memory/1728-141-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-143-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-144-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-142-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-138-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-146-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-148-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-150-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-152-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-154-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-156-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-158-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-160-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-162-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-164-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-166-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-168-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-170-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-172-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-174-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-176-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-178-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-180-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-182-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-184-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-186-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-188-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-190-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-192-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-194-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-196-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-198-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-200-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-202-0x0000000004C20000-0x0000000004C72000-memory.dmp

Filesize
328KB

Download
memory/1728-929-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/1728-930-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/1728-931-0x0000000005910000-0x0000000005A1A000-memory.dmp

Filesize
1.0MB

Download
memory/1728-932-0x0000000005A20000-0x0000000005A5C000-memory.dmp

Filesize
240KB

Download
memory/1728-933-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-934-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/1728-935-0x0000000006CE0000-0x0000000006D72000-memory.dmp

Filesize
584KB

Download
memory/1728-936-0x0000000006DA0000-0x0000000006DF0000-memory.dmp

Filesize
320KB

Download
memory/1728-937-0x0000000006E10000-0x0000000006E86000-memory.dmp

Filesize
472KB

Download
memory/1728-938-0x0000000006FE0000-0x00000000071A2000-memory.dmp

Filesize
1.8MB

Download
memory/1728-939-0x00000000071F0000-0x000000000771C000-memory.dmp

Filesize
5.2MB

Download
memory/1728-940-0x0000000007810000-0x000000000782E000-memory.dmp

Filesize
120KB

Download
memory/1728-942-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-943-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-944-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/1728-945-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing