redline | 5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f

General

Target

5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe
Size

355KB
MD5

728fe27c2202d2a6d57f9c69f348354c
SHA1

9bdc80f8cfa4378028749c8794fa88825df6cc6c
SHA256

5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f
SHA512

41c50d0b82dbc9dc9ea55a61c197c4f219e3ec4c5ef7c20ba0401ba6d473fbdca3bc16ef728bf07f328dc097ee0199926896c7cb132071a008cb9f93ca451b3a
SSDEEP

6144:686lrrCxUel6NIfAly2Y7iA0CiSV8JkRtgrj4C/tfYP:l6lrWxUe+y2YqCb8CtgrECB

Score

10^/10

redline @chicago discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@chicago

C2

185.11.61.125:22344

Attributes

auth_value
21f863e0cbd09d0681058e068d0d1d7f

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-138-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-139-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-145-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-143-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-141-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-147-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-149-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-153-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-155-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-157-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-159-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-151-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-161-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-163-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-165-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-167-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-169-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-171-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-173-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-176-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-178-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-180-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-182-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-184-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-186-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-188-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-190-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-192-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-194-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-196-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-198-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-200-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline
behavioral1/memory/1992-202-0x00000000067F0000-0x0000000006842000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 1992 WerFault.exe 5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe

pid process

1992 5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe

description pid process

Token: SeDebugPrivilege 1992 5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe

pid	pid_target	process	target process
1512	1992	WerFault.exe	5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe

pid	process
1992	5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe

description	pid	process
Token: SeDebugPrivilege	1992	5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe

C:\Users\Admin\AppData\Local\Temp\5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe
"C:\Users\Admin\AppData\Local\Temp\5f6d75e871ef22e17f4bc0c802bf580a7fda567261cb0a3d4a6600b746b7512f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1244
2⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1992 -ip 1992
1⤵
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-134-0x0000000003820000-0x0000000003882000-memory.dmp

Filesize
392KB

Download
memory/1992-136-0x0000000003D40000-0x0000000003D50000-memory.dmp

Filesize
64KB

Download
memory/1992-135-0x0000000003D40000-0x0000000003D50000-memory.dmp

Filesize
64KB

Download
memory/1992-137-0x0000000006200000-0x00000000067A4000-memory.dmp

Filesize
5.6MB

Download
memory/1992-138-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-139-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-145-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-143-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-141-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-147-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-149-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-153-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-155-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-157-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-159-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-151-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-161-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-163-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-165-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-167-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-169-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-171-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-174-0x0000000003D40000-0x0000000003D50000-memory.dmp

Filesize
64KB

Download
memory/1992-173-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-176-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-178-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-180-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-182-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-184-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-186-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-188-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-190-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-192-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-194-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-196-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-198-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-200-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-202-0x00000000067F0000-0x0000000006842000-memory.dmp

Filesize
328KB

Download
memory/1992-929-0x0000000006850000-0x0000000006E68000-memory.dmp

Filesize
6.1MB

Download
memory/1992-930-0x0000000006F10000-0x0000000006F22000-memory.dmp

Filesize
72KB

Download
memory/1992-931-0x0000000006F30000-0x000000000703A000-memory.dmp

Filesize
1.0MB

Download
memory/1992-932-0x0000000007040000-0x000000000707C000-memory.dmp

Filesize
240KB

Download
memory/1992-933-0x0000000003D40000-0x0000000003D50000-memory.dmp

Filesize
64KB

Download
memory/1992-934-0x0000000007350000-0x00000000073B6000-memory.dmp

Filesize
408KB

Download
memory/1992-935-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/1992-936-0x0000000007AD0000-0x0000000007B46000-memory.dmp

Filesize
472KB

Download
memory/1992-937-0x0000000007B90000-0x0000000007BAE000-memory.dmp

Filesize
120KB

Download
memory/1992-938-0x0000000007C40000-0x0000000007E02000-memory.dmp

Filesize
1.8MB

Download
memory/1992-939-0x0000000007E10000-0x000000000833C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing