redline | f4be8d0218a0e78619344ff5e2b21c702985e2baed31cbbfc5ec30aa5facb17a

General

Target

SecuriteInfo.com.Win32.PWSX-gen.17245.exe
Size

368KB
MD5

5ec82862a67012277f2b24f1780e968b
SHA1

3864ae8c39913a910129cd5da3cdc35682ba4ce5
SHA256

f4be8d0218a0e78619344ff5e2b21c702985e2baed31cbbfc5ec30aa5facb17a
SHA512

cc8d0a441eeffd4bdb39268b78d741fb6536a102a27a59a6c0ebbce05700aa042659b2dce810dbf37f9522969883645c12c0fc43dd6730e9d81f3e1f393fbb8a
SSDEEP

6144:I7TaW6ZJ6+z+oY4VmtdVanaf1dL+ZoKO9JLd/DijG2R+5MPIT3kzNgB+DPD5oxzq:8ID6K2/anafnLL/4+GPkGWgDPVEnWH

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4808-5-0x0000000000400000-0x000000000045C000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.17245.exe

description pid process target process

PID 4600 set thread context of 4808 4600 SecuriteInfo.com.Win32.PWSX-gen.17245.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RegAsm.exe

pid process

4808 RegAsm.exe
4808 RegAsm.exe
4808 RegAsm.exe
4808 RegAsm.exe
4808 RegAsm.exe
4808 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 4808 RegAsm.exe

description	pid	process	target process
PID 4600 set thread context of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe

pid	process
4808	RegAsm.exe
4808	RegAsm.exe
4808	RegAsm.exe
4808	RegAsm.exe
4808	RegAsm.exe
4808	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4808	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.17245.exe

description	pid	process	target process
PID 4600 wrote to memory of 4040	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4040	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4040	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe
PID 4600 wrote to memory of 4808	4600	SecuriteInfo.com.Win32.PWSX-gen.17245.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17245.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17245.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4600-10-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4600-1-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4600-2-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/4600-0-0x0000000000F80000-0x0000000000FE2000-memory.dmp

Filesize
392KB

Download
memory/4600-7-0x00000000034B0000-0x00000000054B0000-memory.dmp

Filesize
32.0MB

Download
memory/4808-16-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/4808-18-0x0000000007A00000-0x0000000007A3C000-memory.dmp

Filesize
240KB

Download
memory/4808-11-0x0000000007C20000-0x00000000081C4000-memory.dmp

Filesize
5.6MB

Download
memory/4808-12-0x0000000007750000-0x00000000077E2000-memory.dmp

Filesize
584KB

Download
memory/4808-13-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/4808-14-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/4808-15-0x00000000087F0000-0x0000000008E08000-memory.dmp

Filesize
6.1MB

Download
memory/4808-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4808-17-0x0000000007AD0000-0x0000000007BDA000-memory.dmp

Filesize
1.0MB

Download
memory/4808-9-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4808-19-0x0000000007A60000-0x0000000007AAC000-memory.dmp

Filesize
304KB

Download
memory/4808-20-0x0000000008240000-0x00000000082A6000-memory.dmp

Filesize
408KB

Download
memory/4808-21-0x0000000009090000-0x0000000009106000-memory.dmp

Filesize
472KB

Download
memory/4808-22-0x00000000087D0000-0x00000000087EE000-memory.dmp

Filesize
120KB

Download
memory/4808-23-0x0000000009F90000-0x0000000009FE0000-memory.dmp

Filesize
320KB

Download
memory/4808-24-0x0000000009460000-0x0000000009622000-memory.dmp

Filesize
1.8MB

Download
memory/4808-25-0x000000000A510000-0x000000000AA3C000-memory.dmp

Filesize
5.2MB

Download
memory/4808-26-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4808-27-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/4808-29-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing