redline | f4be8d0218a0e78619344ff5e2b21c702985e2baed31cbbfc5ec30aa5facb17a

General

Target

SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe
Size

368KB
MD5

5ec82862a67012277f2b24f1780e968b
SHA1

3864ae8c39913a910129cd5da3cdc35682ba4ce5
SHA256

f4be8d0218a0e78619344ff5e2b21c702985e2baed31cbbfc5ec30aa5facb17a
SHA512

cc8d0a441eeffd4bdb39268b78d741fb6536a102a27a59a6c0ebbce05700aa042659b2dce810dbf37f9522969883645c12c0fc43dd6730e9d81f3e1f393fbb8a
SSDEEP

6144:I7TaW6ZJ6+z+oY4VmtdVanaf1dL+ZoKO9JLd/DijG2R+5MPIT3kzNgB+DPD5oxzq:8ID6K2/anafnLL/4+GPkGWgDPVEnWH

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1964-5-0x0000000000400000-0x000000000045C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe

description	pid	Process	procid_target
PID 1232 set thread context of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exe

pid	Process
1964	RegAsm.exe
1964	RegAsm.exe
1964	RegAsm.exe
1964	RegAsm.exe
1964	RegAsm.exe
1964	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	1964	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe

description	pid	Process	procid_target
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85
PID 1232 wrote to memory of 1964	1232	SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17245.11822.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-9-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1232-1-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1232-2-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/1232-0-0x00000000008C0000-0x0000000000922000-memory.dmp

Filesize
392KB

Download
memory/1232-8-0x0000000002C90000-0x0000000004C90000-memory.dmp

Filesize
32.0MB

Download
memory/1964-15-0x00000000086B0000-0x0000000008CC8000-memory.dmp

Filesize
6.1MB

Download
memory/1964-18-0x00000000077E0000-0x000000000781C000-memory.dmp

Filesize
240KB

Download
memory/1964-10-0x0000000007AE0000-0x0000000008084000-memory.dmp

Filesize
5.6MB

Download
memory/1964-12-0x00000000075D0000-0x0000000007662000-memory.dmp

Filesize
584KB

Download
memory/1964-13-0x0000000007790000-0x00000000077A0000-memory.dmp

Filesize
64KB

Download
memory/1964-14-0x00000000049C0000-0x00000000049CA000-memory.dmp

Filesize
40KB

Download
memory/1964-16-0x0000000007760000-0x0000000007772000-memory.dmp

Filesize
72KB

Download
memory/1964-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1964-17-0x0000000007990000-0x0000000007A9A000-memory.dmp

Filesize
1.0MB

Download
memory/1964-11-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1964-19-0x0000000007830000-0x000000000787C000-memory.dmp

Filesize
304KB

Download
memory/1964-20-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/1964-21-0x0000000009110000-0x0000000009186000-memory.dmp

Filesize
472KB

Download
memory/1964-22-0x0000000009360000-0x0000000009522000-memory.dmp

Filesize
1.8MB

Download
memory/1964-23-0x0000000009A60000-0x0000000009F8C000-memory.dmp

Filesize
5.2MB

Download
memory/1964-24-0x0000000009570000-0x000000000958E000-memory.dmp

Filesize
120KB

Download
memory/1964-25-0x0000000005200000-0x0000000005250000-memory.dmp

Filesize
320KB

Download
memory/1964-26-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1964-27-0x0000000007790000-0x00000000077A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads