redline | 7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb

General

Target

7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe
Size

284KB
MD5

be4cd419236fdecb292f3346eb452847
SHA1

cce5f13de70c2d20e559782fb40ffe5fe795a4f0
SHA256

7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb
SHA512

574c9cef83bc72f847832a074e696e1b6e457fbcd1e7d0774b91270a73341e116567a384ca47409550c1a3c21f4b818e259fd544f80c3a02ba3a84b00b5b98fb
SSDEEP

6144:6mkqdg0HUjyqV9aMaAjfIw6cOT8U5AjRe9/fEOHNpcKtnst4:PkquuqV9aMaisP5AK3VtzKt

Score

10^/10

redline fronx2 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

fronx2

C2

fronxtracking.com:80

Attributes

auth_value
0a4100df2644a6a6582137d2da2c8bd1

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1172-136-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-137-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-139-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-141-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-143-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-145-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-147-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-149-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-151-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-154-0x0000000004C70000-0x0000000004C80000-memory.dmp	family_redline
behavioral1/memory/1172-155-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-157-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-159-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-161-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-163-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-165-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-167-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-169-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-171-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-173-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-175-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-177-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-179-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-181-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-183-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-185-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-187-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-189-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-191-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-193-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-195-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-197-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-199-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline
behavioral1/memory/1172-201-0x0000000004AD0000-0x0000000004B22000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4876 1172 WerFault.exe 7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

pid	pid_target	process	target process
4876	1172	WerFault.exe	7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

pid	process
1172	7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe
1172	7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

description pid process

Token: SeDebugPrivilege 1172 7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

description	pid	process
Token: SeDebugPrivilege	1172	7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe

C:\Users\Admin\AppData\Local\Temp\7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe
"C:\Users\Admin\AppData\Local\Temp\7bc590996efecdb8864e1e535ecda27990f78108e9ce4c642a3c1f9bce3de7bb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1292
2⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1172 -ip 1172
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-134-0x0000000000650000-0x00000000006B2000-memory.dmp

Filesize
392KB

Download
memory/1172-135-0x0000000004C80000-0x0000000005224000-memory.dmp

Filesize
5.6MB

Download
memory/1172-136-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-137-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-139-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-141-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-143-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-145-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-147-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-149-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-151-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-153-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1172-154-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1172-155-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-157-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-159-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-161-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-163-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-165-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-167-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-169-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-171-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-173-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-175-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-177-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-179-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-181-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-183-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-185-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-187-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-189-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-191-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-193-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-195-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-197-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-199-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-201-0x0000000004AD0000-0x0000000004B22000-memory.dmp

Filesize
328KB

Download
memory/1172-928-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/1172-929-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/1172-930-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/1172-931-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

Filesize
240KB

Download
memory/1172-932-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1172-933-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/1172-934-0x0000000006A70000-0x0000000006B02000-memory.dmp

Filesize
584KB

Download
memory/1172-935-0x0000000006B20000-0x0000000006B70000-memory.dmp

Filesize
320KB

Download
memory/1172-936-0x0000000006B80000-0x0000000006BF6000-memory.dmp

Filesize
472KB

Download
memory/1172-937-0x00000000070A0000-0x00000000070BE000-memory.dmp

Filesize
120KB

Download
memory/1172-938-0x00000000071C0000-0x0000000007382000-memory.dmp

Filesize
1.8MB

Download
memory/1172-940-0x0000000007390000-0x00000000078BC000-memory.dmp

Filesize
5.2MB

Download
memory/1172-941-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1172-942-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/1172-944-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing