redline | b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d

General

Target

b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe
Size

453KB
MD5

6f3d2621e328f408b6c5e79b46bbc7af
SHA1

07fbb55966921c12e89220f286769af5743ebb82
SHA256

b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d
SHA512

5bba9b5faade1759c4364122375579d35bbf88c5b4bc358e2589b4997d9d9631f55f032b8ad584511d844aa80ab9692f71a2492bf1b4411081875e2ede198a33
SSDEEP

6144:3TEZL9LJj6tpMkdIaH0bJqs2kNSpYjLzo0Kvl8YLDv4W/7l:3YZL9Fj6tp9GZV+YDRBW/

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-136-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-137-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-139-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-141-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-143-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-145-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-147-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-149-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-151-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-154-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-157-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-161-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-159-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-163-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-165-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-167-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-169-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-171-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-173-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-175-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-177-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-179-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-181-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-183-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-185-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-187-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-189-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-191-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-193-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-195-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-197-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-199-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline
behavioral1/memory/2568-201-0x0000000002B10000-0x0000000002B62000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe

pid	process
2568	b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe
2568	b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe

description pid process

Token: SeDebugPrivilege 2568 b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe

description	pid	process
Token: SeDebugPrivilege	2568	b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe

C:\Users\Admin\AppData\Local\Temp\b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe
"C:\Users\Admin\AppData\Local\Temp\b88840d4a9f9659d15b704434f74924c0c39759a1951bcd09107ee1aa58ff85d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-134-0x0000000000800000-0x0000000000862000-memory.dmp

Filesize
392KB

Download
memory/2568-135-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/2568-136-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-137-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-139-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-141-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-143-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-145-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-147-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-149-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-151-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-153-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2568-154-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-156-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2568-157-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-161-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-159-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-163-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-165-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-167-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-169-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-171-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-173-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-175-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-177-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-179-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-181-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-183-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-185-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-187-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-189-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-191-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-193-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-195-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-197-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-199-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-201-0x0000000002B10000-0x0000000002B62000-memory.dmp

Filesize
328KB

Download
memory/2568-928-0x0000000005630000-0x0000000005C48000-memory.dmp

Filesize
6.1MB

Download
memory/2568-929-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/2568-930-0x0000000005C50000-0x0000000005D5A000-memory.dmp

Filesize
1.0MB

Download
memory/2568-931-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/2568-932-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2568-933-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/2568-934-0x00000000067B0000-0x0000000006842000-memory.dmp

Filesize
584KB

Download
memory/2568-935-0x0000000006860000-0x00000000068D6000-memory.dmp

Filesize
472KB

Download
memory/2568-936-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/2568-937-0x0000000006AE0000-0x0000000006CA2000-memory.dmp

Filesize
1.8MB

Download
memory/2568-938-0x0000000006CC0000-0x00000000071EC000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing