redline | 3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6

General

Target

3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe
Size

328KB
MD5

e9760028176ef7f92c0f23fb4ad05c14
SHA1

9fcd5dd0d440017262ef8914454976078f994858
SHA256

3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6
SHA512

1c3577305bfb7118ef605a5b909b8ad4ef361e25aaaf210ba6ebdedef05713a014fea168ba8d8eba7f35e070c919b5c171c94094a56072c2088453c075d77515
SSDEEP

6144:VSBkLbJit6EQaW8U+Nw4CsP0QKbd/KKXMVCJKsb7u62kfiSsF:VSBkJit6zaWW24jyRXgs/u6uS

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-136-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-137-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-140-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-144-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-146-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-148-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-150-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-152-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-154-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-156-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-158-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-160-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-162-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-164-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-166-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-168-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-170-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-172-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-174-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-176-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-178-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-180-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-182-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-184-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-186-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-188-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-190-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-192-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-194-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-196-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-198-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-200-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-202-0x0000000005480000-0x00000000054D2000-memory.dmp	family_redline
behavioral1/memory/2200-941-0x0000000002780000-0x0000000002790000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4596 2200 WerFault.exe 3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

pid	pid_target	process	target process
4596	2200	WerFault.exe	3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

pid	process
2200	3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe
2200	3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

description pid process

Token: SeDebugPrivilege 2200 3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

description	pid	process
Token: SeDebugPrivilege	2200	3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe

C:\Users\Admin\AppData\Local\Temp\3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe
"C:\Users\Admin\AppData\Local\Temp\3b9299acc96a1ebe6a8b6fa798a0277ab88b1ee8b4595169bc1a2fe5ffc46ba6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1516
2⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2200 -ip 2200
1⤵
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-134-0x0000000002490000-0x00000000024F2000-memory.dmp

Filesize
392KB

Download
memory/2200-135-0x0000000004ED0000-0x0000000005474000-memory.dmp

Filesize
5.6MB

Download
memory/2200-136-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-137-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-139-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2200-140-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-141-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2200-143-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2200-144-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-146-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-148-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-150-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-152-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-154-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-156-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-158-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-160-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-162-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-164-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-166-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-168-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-170-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-172-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-174-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-176-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-178-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-180-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-182-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-184-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-186-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-188-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-190-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-192-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-194-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-196-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-198-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-200-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-202-0x0000000005480000-0x00000000054D2000-memory.dmp

Filesize
328KB

Download
memory/2200-929-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/2200-930-0x0000000005B40000-0x0000000005B52000-memory.dmp

Filesize
72KB

Download
memory/2200-931-0x0000000005B60000-0x0000000005C6A000-memory.dmp

Filesize
1.0MB

Download
memory/2200-932-0x0000000005C70000-0x0000000005CAC000-memory.dmp

Filesize
240KB

Download
memory/2200-933-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2200-934-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/2200-935-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/2200-936-0x0000000006960000-0x00000000069D6000-memory.dmp

Filesize
472KB

Download
memory/2200-937-0x0000000006A20000-0x0000000006BE2000-memory.dmp

Filesize
1.8MB

Download
memory/2200-938-0x0000000006C00000-0x000000000712C000-memory.dmp

Filesize
5.2MB

Download
memory/2200-939-0x0000000007240000-0x000000000725E000-memory.dmp

Filesize
120KB

Download
memory/2200-941-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2200-942-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2200-943-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing