redline | 295a967765f271e81098a48ad70905c64973266742d655e18c27369d00f13280

General

Target

qu3031.exe
Size

345KB
MD5

123d4ad0b6ff03500edba05b11c1671b
SHA1

91e37cea652c56fa4a1392d23e81631f8a8a9e5f
SHA256

295a967765f271e81098a48ad70905c64973266742d655e18c27369d00f13280
SHA512

db03c1c4e8389706821820af0514faefda358f9ae3a9efd5a34bac78fd50dae8bc95498b3fd545e839cdd916373a7ebe1da8ddd8efa69b8029f891b780d0d9af
SSDEEP

6144:hiuo+rLcXfNbdX5AoKpelCoQqDmJLIGv7XpCd3bM/zDig02TpgBsDiYn:hiuTrYXfNb5yoKH2mJ/v70rOfigLKe

Score

10^/10

redline rosn discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4084-136-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-137-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-139-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-142-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-146-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-148-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-150-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-152-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-154-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-156-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-158-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-160-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-162-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-164-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-166-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-168-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-170-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-172-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-174-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-176-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-178-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-180-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-182-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-184-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-186-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-188-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-190-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-192-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-194-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-196-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-198-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-200-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline
behavioral2/memory/4084-202-0x0000000003D60000-0x0000000003D9F000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2664 4084 WerFault.exe qu3031.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

qu3031.exe

pid process

4084 qu3031.exe
4084 qu3031.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qu3031.exe

description pid process

Token: SeDebugPrivilege 4084 qu3031.exe

pid	pid_target	process	target process
2664	4084	WerFault.exe	qu3031.exe

pid	process
4084	qu3031.exe
4084	qu3031.exe

description	pid	process
Token: SeDebugPrivilege	4084	qu3031.exe

C:\Users\Admin\AppData\Local\Temp\qu3031.exe
"C:\Users\Admin\AppData\Local\Temp\qu3031.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1260
2⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4084 -ip 4084
1⤵
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4084-134-0x0000000003770000-0x00000000037BB000-memory.dmp

Filesize
300KB

Download
memory/4084-135-0x00000000062A0000-0x0000000006844000-memory.dmp

Filesize
5.6MB

Download
memory/4084-136-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-137-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-139-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-142-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-143-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-140-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-145-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-146-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-148-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-150-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-152-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-154-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-156-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-158-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-160-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-162-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-164-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-166-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-168-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-170-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-172-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-174-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-176-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-178-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-180-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-182-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-184-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-186-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-188-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-190-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-192-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-194-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-196-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-198-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-200-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-202-0x0000000003D60000-0x0000000003D9F000-memory.dmp

Filesize
252KB

Download
memory/4084-1045-0x0000000006850000-0x0000000006E68000-memory.dmp

Filesize
6.1MB

Download
memory/4084-1046-0x0000000006E70000-0x0000000006F7A000-memory.dmp

Filesize
1.0MB

Download
memory/4084-1047-0x0000000003E20000-0x0000000003E32000-memory.dmp

Filesize
72KB

Download
memory/4084-1048-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-1049-0x0000000006F80000-0x0000000006FBC000-memory.dmp

Filesize
240KB

Download
memory/4084-1051-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-1052-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-1053-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/4084-1054-0x0000000007260000-0x00000000072F2000-memory.dmp

Filesize
584KB

Download
memory/4084-1055-0x0000000007300000-0x0000000007366000-memory.dmp

Filesize
408KB

Download
memory/4084-1056-0x0000000007A10000-0x0000000007BD2000-memory.dmp

Filesize
1.8MB

Download
memory/4084-1057-0x0000000007BF0000-0x000000000811C000-memory.dmp

Filesize
5.2MB

Download
memory/4084-1058-0x0000000008390000-0x0000000008406000-memory.dmp

Filesize
472KB

Download
memory/4084-1059-0x0000000008420000-0x0000000008470000-memory.dmp

Filesize
320KB

Download
memory/4084-1060-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing