redline | 060dcbf520bb4a9581523bee99b52335fda2b9dfbada42f5635be3c437fba325

Analysis

max time kernel
25s
max time network
29s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-06-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05616799.exe
Size

273KB
MD5

390fc797574a89ae91508f774896ef68
SHA1

07b43779b0b3e9503f8bb54d2a3877edc05a80d6
SHA256

060dcbf520bb4a9581523bee99b52335fda2b9dfbada42f5635be3c437fba325
SHA512

0a83f853d7547b6b295102c0323b72c7420b72b0f9a4f6775b186d39dc8a3dd0069abe2d22b98db84eb091a7ab9d4888d9ce7c03cbacbe8c2ddde31e7c2908ea
SSDEEP

6144:HE55Zk/2d9dzyCQ5MHVf73hLxGJWTt+AoM2:HE5ZkqdzyUHLLxKWr

Score

10^/10

redline @durak9876 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@Durak9876

94.142.138.4:80

Attributes

auth_value
7349e2db57cd9fb7fbca9d54c1dfaaf9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	05616799.exe
1972	05616799.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	05616799.exe

C:\Users\Admin\AppData\Local\Temp\05616799.exe
"C:\Users\Admin\AppData\Local\Temp\05616799.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-54-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1972-58-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/1972-59-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/1972-60-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download