redline | 320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6

General

Target

320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe
Size

416KB
MD5

f2f07085daf546011773b9e284787d9d
SHA1

010293fe5929bb5337d4eda379e34b20e2422afe
SHA256

320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6
SHA512

960b0c7c473a279f0d8526fd482560add99a4dbc5f5dbbf93fd782af9ff584dd5fc7f0ac6be0962bfdcf1d8a4f388ec8db8b1aeae2a29b5ff29bb110c254abb0
SSDEEP

6144:UFcWL9yZ8JopNDa1rorDZ+DeA9aBSriPm3x9He+rJWjUOn:UFcWRy6JsNDa10rD8ymaQr1h9zWjr

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-136-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-137-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-139-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-141-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-145-0x00000000025B0000-0x00000000025C0000-memory.dmp	family_redline
behavioral1/memory/2420-144-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-150-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-148-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-152-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-154-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-156-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-158-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-160-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-162-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-164-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-166-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-168-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-170-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-172-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-174-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-176-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-178-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-182-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-184-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-180-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-186-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-188-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-190-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-192-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-194-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-196-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-198-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-200-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline
behavioral1/memory/2420-202-0x0000000002B40000-0x0000000002B92000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1916 2420 WerFault.exe 320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

pid	pid_target	process	target process
1916	2420	WerFault.exe	320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

pid	process
2420	320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe
2420	320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

description pid process

Token: SeDebugPrivilege 2420 320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

description	pid	process
Token: SeDebugPrivilege	2420	320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe

C:\Users\Admin\AppData\Local\Temp\320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe
"C:\Users\Admin\AppData\Local\Temp\320ae3b71228a93b5b223a19f0f4c1fa6e95471d0c47a8a892913ef81abdbde6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1220
2⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2420 -ip 2420
1⤵
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-134-0x00000000009D0000-0x0000000000A32000-memory.dmp

Filesize
392KB

Download
memory/2420-135-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/2420-136-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-137-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-139-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-141-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-145-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2420-144-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-143-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2420-147-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2420-150-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-148-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-152-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-154-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-156-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-158-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-160-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-162-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-164-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-166-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-168-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-170-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-172-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-174-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-176-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-178-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-182-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-184-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-180-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-186-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-188-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-190-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-192-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-194-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-196-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-198-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-200-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-202-0x0000000002B40000-0x0000000002B92000-memory.dmp

Filesize
328KB

Download
memory/2420-929-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/2420-930-0x0000000005B50000-0x0000000005B62000-memory.dmp

Filesize
72KB

Download
memory/2420-931-0x0000000005B70000-0x0000000005C7A000-memory.dmp

Filesize
1.0MB

Download
memory/2420-932-0x0000000005CC0000-0x0000000005CFC000-memory.dmp

Filesize
240KB

Download
memory/2420-933-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2420-934-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/2420-935-0x0000000006660000-0x00000000066F2000-memory.dmp

Filesize
584KB

Download
memory/2420-936-0x0000000006970000-0x00000000069E6000-memory.dmp

Filesize
472KB

Download
memory/2420-937-0x0000000006A60000-0x0000000006C22000-memory.dmp

Filesize
1.8MB

Download
memory/2420-938-0x0000000006C30000-0x000000000715C000-memory.dmp

Filesize
5.2MB

Download
memory/2420-939-0x0000000007250000-0x000000000726E000-memory.dmp

Filesize
120KB

Download
memory/2420-942-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2420-943-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/2420-944-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing