redline | a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8

General

Target

a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe
Size

358KB
MD5

9528532a56a5b30a49484cab6ffbc05a
SHA1

2b3e241cdb4b9f3acd60e4eecc3e224671f18c34
SHA256

a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8
SHA512

d90e2b86f2ae246a1590ab11ebf7795e14cf53b24b2895a27017ca6dee8ed8283e87cb6ebfe26c58d7ed22b7822b0d8eaccd733b72b24e1f33e67e00f4714d1a
SSDEEP

6144:nBqQLNqOZeW1/dOKdi+qcBBVb1Cw5w7PF3Z+TZWPVG:nBqQUOZeq/FScLN1lUtp

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2540-124-0x0000000002740000-0x000000000279A000-memory.dmp	family_redline
behavioral1/memory/2540-126-0x0000000004F30000-0x0000000004F88000-memory.dmp	family_redline
behavioral1/memory/2540-138-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-140-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-136-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-134-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-142-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-144-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-146-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-150-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-148-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-154-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-156-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-152-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-132-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-130-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-129-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-160-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-168-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-178-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-182-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-186-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-190-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-192-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-188-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-184-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-180-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-176-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-174-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-172-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-170-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-166-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-164-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-162-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline
behavioral1/memory/2540-158-0x0000000004F30000-0x0000000004F82000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe

pid	process
2540	a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe
2540	a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe

description pid process

Token: SeDebugPrivilege 2540 a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe

description	pid	process
Token: SeDebugPrivilege	2540	a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe

C:\Users\Admin\AppData\Local\Temp\a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe
"C:\Users\Admin\AppData\Local\Temp\a22db738089d89c6e10e18cc5fad86773398f83feee928c4a45b0deb3c30a6a8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-122-0x0000000002570000-0x00000000025D2000-memory.dmp

Filesize
392KB

Download
memory/2540-123-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2540-124-0x0000000002740000-0x000000000279A000-memory.dmp

Filesize
360KB

Download
memory/2540-125-0x0000000005010000-0x000000000550E000-memory.dmp

Filesize
5.0MB

Download
memory/2540-126-0x0000000004F30000-0x0000000004F88000-memory.dmp

Filesize
352KB

Download
memory/2540-127-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2540-128-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2540-138-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-140-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-136-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-134-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-142-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-144-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-146-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-150-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-148-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-154-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-156-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-152-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-132-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-130-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-129-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-160-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-168-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-178-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-182-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-186-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-190-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-192-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-188-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-184-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-180-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-176-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-174-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-172-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-170-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-166-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-164-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-162-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-158-0x0000000004F30000-0x0000000004F82000-memory.dmp

Filesize
328KB

Download
memory/2540-919-0x0000000005510000-0x0000000005B16000-memory.dmp

Filesize
6.0MB

Download
memory/2540-920-0x0000000005B60000-0x0000000005B72000-memory.dmp

Filesize
72KB

Download
memory/2540-921-0x0000000005B90000-0x0000000005C9A000-memory.dmp

Filesize
1.0MB

Download
memory/2540-922-0x0000000005CA0000-0x0000000005CDE000-memory.dmp

Filesize
248KB

Download
memory/2540-923-0x0000000005D30000-0x0000000005D7B000-memory.dmp

Filesize
300KB

Download
memory/2540-924-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2540-925-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/2540-927-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/2540-928-0x0000000006720000-0x0000000006796000-memory.dmp

Filesize
472KB

Download
memory/2540-929-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2540-930-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2540-931-0x0000000006870000-0x0000000006A32000-memory.dmp

Filesize
1.8MB

Download
memory/2540-932-0x0000000006A40000-0x0000000006F6C000-memory.dmp

Filesize
5.2MB

Download
memory/2540-933-0x0000000007010000-0x000000000702E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing