redline | 4545c839b596f8d01becff14bb61ab84ee25af14e6ba63a946d0ff58eb0f8275

Resubmissions

29/06/2023, 01:39

230629-b252psce61 10

29/06/2023, 01:35

230629-bz1n7sce6v 10

Analysis

max time kernel
140s
max time network
40s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29/06/2023, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_x32_x64.exe
Size

748KB
MD5

830b68cd5d7602365e22f4276a59c300
SHA1

e96ae5ba5ddc5bb4f0621f273305a154f1cac6c7
SHA256

886542b9dbb9d5981313562a2f1a0048fa4e590d762c9714a81675d1c53f332d
SHA512

4afbd5fab0d401177510c95691f5efb87fa8be534aae764ba81518b08f754b8245327765dc13450adbcb042c84d8bbe692411d8909792bf5415f32e6616c29a2
SSDEEP

12288:DzaXu1iuIHnVNk7/utyfOCLbnd745u4KUVwVyU4xqodHxiRqwRoOP4ixGZbNCONS:DG+iuaVN2mtyfHvnUWVKdEfoMNixC4if

Score

10^/10

redline @cocacolan discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@CocacolaN

185.106.93.193:48563

Attributes

auth_value
62e77e7581a6d46f06f11ff370e3e0d6

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1240	Setup_x32_x64.exe
1240	Setup_x32_x64.exe
1240	Setup_x32_x64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	Setup_x32_x64.exe

C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_x32_x64.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-54-0x0000000000250000-0x000000000027B000-memory.dmp

Filesize
172KB

Download
memory/1240-56-0x0000000004DD0000-0x0000000004DF6000-memory.dmp

Filesize
152KB

Download
memory/1240-58-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1240-57-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download