redline | 954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43

General

Target

954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe
Size

346KB
MD5

9cf3298901842c643243c9e3cd31ac56
SHA1

bdf63819bcec3439a44399ebf51df0aecf79a64e
SHA256

954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43
SHA512

053d3a92671eba2361d5b9d1fb74c45f4d07a9a23e62cc01ceb8792515d2e15f3b7185e3d9ae5d7081c23eaee3d2c36feb08705c019add0d7fc343b0721bb1f6
SSDEEP

6144:mHm2hLWK6w5smg+wVeYfqNCkedR0/5FX46KHy7DE7kj:am2hiK6w5smgnlfqNCklFXDKHeDh

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3556-136-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-137-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-139-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-142-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-145-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-148-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-150-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-152-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-154-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-156-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-158-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-160-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-162-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-164-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-166-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-168-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-170-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-172-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-174-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-176-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-178-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-180-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-182-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-184-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-186-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-188-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-190-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-192-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-194-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-196-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-198-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-200-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline
behavioral1/memory/3556-202-0x0000000004EC0000-0x0000000004F12000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4744 3556 WerFault.exe 954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

pid	pid_target	process	target process
4744	3556	WerFault.exe	954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

pid	process
3556	954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe
3556	954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

description pid process

Token: SeDebugPrivilege 3556 954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

description	pid	process
Token: SeDebugPrivilege	3556	954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe

C:\Users\Admin\AppData\Local\Temp\954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe
"C:\Users\Admin\AppData\Local\Temp\954a1107e8881be8bb1fc0b0b0221894d9df7c92f5831ddf144a4780488e5d43.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1224
2⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3556 -ip 3556
1⤵
PID:3804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3556-134-0x0000000002490000-0x00000000024F2000-memory.dmp

Filesize
392KB

Download
memory/3556-135-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/3556-136-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-137-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-139-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-141-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3556-142-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-144-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3556-146-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3556-145-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-148-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-150-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-152-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-154-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-156-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-158-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-160-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-162-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-164-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-166-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-168-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-170-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-172-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-174-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-176-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-178-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-180-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-182-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-184-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-186-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-188-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-190-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-192-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-194-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-196-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-198-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-200-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-202-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/3556-929-0x00000000055E0000-0x0000000005BF8000-memory.dmp

Filesize
6.1MB

Download
memory/3556-930-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/3556-931-0x0000000005C00000-0x0000000005D0A000-memory.dmp

Filesize
1.0MB

Download
memory/3556-932-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3556-933-0x0000000004F80000-0x0000000004FBC000-memory.dmp

Filesize
240KB

Download
memory/3556-934-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3556-935-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/3556-936-0x0000000006820000-0x0000000006896000-memory.dmp

Filesize
472KB

Download
memory/3556-937-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/3556-938-0x0000000006980000-0x0000000006B42000-memory.dmp

Filesize
1.8MB

Download
memory/3556-939-0x0000000006B60000-0x000000000708C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing