redline | c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98

General

Target

c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe
Size

346KB
MD5

eb298436f35ffbfa16a7a8b24c43212b
SHA1

2bca91453ef12a285d450db7161296685a44aa14
SHA256

c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98
SHA512

6b52ce1248f5ca5d68f0e68ca79624c1f2ea5d2b4f4681de47bdfe8eab9e824cc8e0c5c7ac97c05d47bc2f1bc10252920bf9e2e447d829cc2190c5d0654c6fa9
SSDEEP

6144:eOyp+TLzgxbLPE23Yp8QwOOwMPg0CQBCBc8ezlH:rFTngxbgIfXL/YJQBIez

Score

10^/10

redline @germany discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@Germany

C2

185.11.61.125:22344

Attributes

auth_value
9d15d78194367a949e54a07d6ce02c62

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4104-118-0x00000000027E0000-0x000000000283A000-memory.dmp	family_redline
behavioral1/memory/4104-120-0x0000000005370000-0x00000000053C8000-memory.dmp	family_redline
behavioral1/memory/4104-122-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-123-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-125-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-127-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-129-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-131-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-133-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-135-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-137-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-139-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-141-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-143-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-145-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-147-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-149-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-151-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-153-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-155-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-157-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-159-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-161-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-163-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-165-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-167-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-169-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-171-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-173-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-175-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-177-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-179-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-181-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-183-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline
behavioral1/memory/4104-185-0x0000000005370000-0x00000000053C2000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe

pid process

4104 c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe

description pid process

Token: SeDebugPrivilege 4104 c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe

pid	process
4104	c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe

description	pid	process
Token: SeDebugPrivilege	4104	c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe

C:\Users\Admin\AppData\Local\Temp\c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe
"C:\Users\Admin\AppData\Local\Temp\c0b2b1fa89ee6e4cc91ebe5c362763a0bd77fe2385e85b4192cda93203e61a98.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4104-117-0x00000000008B0000-0x0000000000912000-memory.dmp

Filesize
392KB

Download
memory/4104-118-0x00000000027E0000-0x000000000283A000-memory.dmp

Filesize
360KB

Download
memory/4104-119-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/4104-120-0x0000000005370000-0x00000000053C8000-memory.dmp

Filesize
352KB

Download
memory/4104-121-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4104-122-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-123-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-125-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-127-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-129-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-131-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-133-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-135-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-137-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-139-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-141-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-143-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-145-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-147-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-149-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-151-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-153-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-155-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-157-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-159-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-161-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-163-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-165-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-167-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-169-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-171-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-173-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-175-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-177-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-179-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-181-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-183-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-185-0x0000000005370000-0x00000000053C2000-memory.dmp

Filesize
328KB

Download
memory/4104-912-0x00000000053D0000-0x00000000059D6000-memory.dmp

Filesize
6.0MB

Download
memory/4104-913-0x0000000005A30000-0x0000000005A42000-memory.dmp

Filesize
72KB

Download
memory/4104-914-0x0000000005A60000-0x0000000005B6A000-memory.dmp

Filesize
1.0MB

Download
memory/4104-915-0x0000000005B70000-0x0000000005BAE000-memory.dmp

Filesize
248KB

Download
memory/4104-916-0x0000000002850000-0x0000000002860000-memory.dmp

Filesize
64KB

Download
memory/4104-917-0x0000000005C00000-0x0000000005C4B000-memory.dmp

Filesize
300KB

Download
memory/4104-918-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4104-919-0x0000000006680000-0x0000000006712000-memory.dmp

Filesize
584KB

Download
memory/4104-920-0x0000000006830000-0x00000000068A6000-memory.dmp

Filesize
472KB

Download
memory/4104-921-0x0000000006980000-0x0000000006B42000-memory.dmp

Filesize
1.8MB

Download
memory/4104-922-0x0000000006B50000-0x000000000707C000-memory.dmp

Filesize
5.2MB

Download
memory/4104-923-0x0000000007120000-0x000000000713E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing