redline | 44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa

General

Target

44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe
Size

287KB
MD5

61e72355e97422967390d230a63ca9c7
SHA1

d03868e26c0d5014d2f73166e1a0222cfc554633
SHA256

44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa
SHA512

e234ca0027acf29c401e7956be16e31051685f89025138e2edb3b0d59122829b3bfc7bfb64e0c1e0f8a9c787d63baaf4cff283403bb78676f66e26abf36bef41
SSDEEP

6144:NdV9xYq6GvGHFu35ZQavA6ruZ0tr/HLijsV:NdV9xYq6tY5Z/M0tTH80

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2480-136-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-137-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-139-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-141-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-143-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-145-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-147-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-149-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-151-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-153-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-155-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-162-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-158-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-164-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-166-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-168-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-170-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-172-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-174-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-176-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-178-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-180-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-182-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-184-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-186-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-188-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-190-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-192-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-194-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-196-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-198-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-200-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline
behavioral1/memory/2480-202-0x0000000004C10000-0x0000000004C62000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4852 2480 WerFault.exe 44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

pid	pid_target	process	target process
4852	2480	WerFault.exe	44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

pid	process
2480	44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe
2480	44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

description pid process

Token: SeDebugPrivilege 2480 44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

description	pid	process
Token: SeDebugPrivilege	2480	44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe

C:\Users\Admin\AppData\Local\Temp\44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe
"C:\Users\Admin\AppData\Local\Temp\44d2ca0e54c31c44c0986bdd05b861f6168c294d9bf424eab039fdee8f7fadaa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1460
2⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2480 -ip 2480
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-134-0x0000000002200000-0x0000000002262000-memory.dmp

Filesize
392KB

Download
memory/2480-135-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/2480-136-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-137-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-139-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-141-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-143-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-145-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-147-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-149-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-151-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-153-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-156-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2480-155-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-159-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2480-161-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2480-162-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-158-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-164-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-166-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-168-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-170-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-172-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-174-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-176-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-178-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-180-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-182-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-184-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-186-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-188-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-190-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-192-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-194-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-196-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-198-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-200-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-202-0x0000000004C10000-0x0000000004C62000-memory.dmp

Filesize
328KB

Download
memory/2480-929-0x0000000005390000-0x00000000059A8000-memory.dmp

Filesize
6.1MB

Download
memory/2480-930-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/2480-931-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/2480-932-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/2480-933-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2480-934-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/2480-935-0x0000000006540000-0x00000000065D2000-memory.dmp

Filesize
584KB

Download
memory/2480-936-0x0000000006610000-0x0000000006686000-memory.dmp

Filesize
472KB

Download
memory/2480-937-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/2480-938-0x00000000068B0000-0x0000000006DDC000-memory.dmp

Filesize
5.2MB

Download
memory/2480-939-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

Filesize
120KB

Download
memory/2480-943-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2480-942-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/2480-944-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing