redline | 9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba

General

Target

9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe
Size

352KB
MD5

ad2b8ac2e0d0a023ca6004d27711fe1a
SHA1

a9e85569f6e0a7612706d3651cbe6b9a29a67d02
SHA256

9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba
SHA512

bbf62e8acd8c5f48eb604e6a993b2af634384fde347a37a978bd636b84c3ed0bcac9bd5f8e23302c640f7a9637b94ef1f51d3dfe5762ecbaef8f2d94323a5064
SSDEEP

6144:Ajeu+jlc6bgFpH7PDnwDEnwSY5cGyFr6fwSb9zYj:YevjlcCgFpbjS5cLFmfwStA

Score

10^/10

redline dozk discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

dozk

C2

91.215.85.15:25916

Attributes

auth_value
9f1dc4ff242fb8b53742acae0ef96143

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4124-117-0x0000000007230000-0x000000000728A000-memory.dmp	family_redline
behavioral1/memory/4124-123-0x0000000007290000-0x00000000072E8000-memory.dmp	family_redline
behavioral1/memory/4124-124-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-125-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-127-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-129-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-131-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-133-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-135-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-137-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-139-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-141-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-143-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-145-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-147-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-149-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-151-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-153-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-155-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-157-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-159-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-161-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-163-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-165-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-167-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-169-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-171-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-173-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-177-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-175-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-179-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-181-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-183-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-185-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline
behavioral1/memory/4124-187-0x0000000007290000-0x00000000072E2000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe

pid	process
4124	9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe
4124	9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe

description pid process

Token: SeDebugPrivilege 4124 9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe

description	pid	process
Token: SeDebugPrivilege	4124	9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe

C:\Users\Admin\AppData\Local\Temp\9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe
"C:\Users\Admin\AppData\Local\Temp\9fc2a0858f7a6cc44e72c22d5305fb13dec4c9ff0f78aaf1857c8434abdee2ba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4124-117-0x0000000007230000-0x000000000728A000-memory.dmp

Filesize
360KB

Download
memory/4124-118-0x0000000007420000-0x000000000791E000-memory.dmp

Filesize
5.0MB

Download
memory/4124-119-0x00000000048C0000-0x0000000004922000-memory.dmp

Filesize
392KB

Download
memory/4124-120-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/4124-121-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/4124-122-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/4124-123-0x0000000007290000-0x00000000072E8000-memory.dmp

Filesize
352KB

Download
memory/4124-124-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-125-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-127-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-129-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-131-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-133-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-135-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-137-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-139-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-141-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-143-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-145-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-147-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-149-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-151-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-153-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-155-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-157-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-159-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-161-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-163-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-165-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-167-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-169-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-171-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-173-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-177-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-175-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-179-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-181-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-183-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-185-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-187-0x0000000007290000-0x00000000072E2000-memory.dmp

Filesize
328KB

Download
memory/4124-914-0x0000000007920000-0x0000000007F26000-memory.dmp

Filesize
6.0MB

Download
memory/4124-915-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/4124-916-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/4124-917-0x00000000073B0000-0x00000000073EE000-memory.dmp

Filesize
248KB

Download
memory/4124-918-0x0000000008070000-0x00000000080BB000-memory.dmp

Filesize
300KB

Download
memory/4124-919-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download
memory/4124-920-0x0000000008300000-0x0000000008366000-memory.dmp

Filesize
408KB

Download
memory/4124-921-0x0000000008990000-0x0000000008A22000-memory.dmp

Filesize
584KB

Download
memory/4124-922-0x0000000008A50000-0x0000000008AC6000-memory.dmp

Filesize
472KB

Download
memory/4124-923-0x0000000008B00000-0x0000000008B1E000-memory.dmp

Filesize
120KB

Download
memory/4124-924-0x0000000008CD0000-0x0000000008E92000-memory.dmp

Filesize
1.8MB

Download
memory/4124-925-0x0000000008EB0000-0x00000000093DC000-memory.dmp

Filesize
5.2MB

Download
memory/4124-927-0x0000000007410000-0x0000000007420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing