redline | bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0

General

Target

bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe
Size

444KB
MD5

7001870699ed7414326f4ebb3843e740
SHA1

0085850fa84f6a4733e8e95c897ee8a175154e80
SHA256

bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0
SHA512

024b9e3b8e6bb16e2cc323ed44e49285a8e1c806bc3ceb8dc4ab4d15c683a0d7c05618b30fc9a77f05ceac826ba1aad2fa38e38f0c7a722dae2c1310a4f78620
SSDEEP

12288:4zCC9kBFqYO/Qg4K6mnkMSZWlPmdHng1mMt4ijh2jOCQl:4LKBgeKlkBZWlPm9g1Btph2Kv

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/856-1-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
856	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3624	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	83
PID 3592 wrote to memory of 3624	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	83
PID 3592 wrote to memory of 3624	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	83
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84
PID 3592 wrote to memory of 856	3592	bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe	84

C:\Users\Admin\AppData\Local\Temp\bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe
"C:\Users\Admin\AppData\Local\Temp\bcc22f2725eaf1fd450c39ff9a8ea5c681c1eb644b8e0605a8315d5b9ed7e5b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-8-0x0000000006480000-0x0000000006A98000-memory.dmp

Filesize
6.1MB

Download
memory/856-10-0x0000000005EF0000-0x0000000005F02000-memory.dmp

Filesize
72KB

Download
memory/856-19-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/856-9-0x0000000005FC0000-0x00000000060CA000-memory.dmp

Filesize
1.0MB

Download
memory/856-4-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/856-5-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/856-6-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/856-7-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/856-1-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/856-17-0x0000000008AB0000-0x0000000008FDC000-memory.dmp

Filesize
5.2MB

Download
memory/856-3-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/856-11-0x0000000005F50000-0x0000000005F8C000-memory.dmp

Filesize
240KB

Download
memory/856-12-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/856-13-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/856-14-0x0000000006BA0000-0x0000000006C16000-memory.dmp

Filesize
472KB

Download
memory/856-15-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/856-16-0x00000000083B0000-0x0000000008572000-memory.dmp

Filesize
1.8MB

Download
memory/3592-0-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3592-2-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing