redline | a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505

General

Target

a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
Size

297KB
MD5

cd581d68ed550455444ee6e099c44266
SHA1

f131d587578336651fd3e325b82b6c185a4b6429
SHA256

a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505
SHA512

33f94920032436cd45906c27cd5b39f47f9519ab5a1a6745bd8a69d81ce729d8e5e425a7538b5f4f6992bd3804e0376085f5da1c28cf9f4d664cabe64036d0b5
SSDEEP

3072:xqFFrqwIOGBHy9MGSwTc425F7dw4AhTiNhdSCTZifjIxcZqf7D34leqiOLCbBOu:QBIOGf4259dnTZcscZqf7DIvL

Score

10^/10

redline 123 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

123

C2

185.215.113.67:40960

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4356-1-0x0000000000F60000-0x0000000000FB0000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
2192	6.exe
2192	6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 2192	4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe	100
PID 4356 wrote to memory of 2192	4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe	100
PID 4356 wrote to memory of 2192	4356	a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe	100

C:\Users\Admin\AppData\Local\Temp\a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe
"C:\Users\Admin\AppData\Local\Temp\a2ebb4bbf2ae4f7755b3ab604996e6c7e570ac8837ca544854ed696a81972505.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\6.exe
  "C:\Users\Admin\AppData\Local\Temp\6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.8MB

MD5
5bb3677a298d7977d73c2d47b805b9c3

SHA1
91933eb9b40281e59dd7e73d8b7dac77c5e42798

SHA256
85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

SHA512
d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

Download Submit
memory/2192-35-0x0000000000890000-0x00000000010AE000-memory.dmp

Filesize
8.1MB

Download
memory/2192-34-0x00000000008E2000-0x0000000000B72000-memory.dmp

Filesize
2.6MB

Download
memory/2192-33-0x0000000000890000-0x00000000010AE000-memory.dmp

Filesize
8.1MB

Download
memory/2192-32-0x0000000000890000-0x00000000010AE000-memory.dmp

Filesize
8.1MB

Download
memory/2192-30-0x0000000000890000-0x00000000010AE000-memory.dmp

Filesize
8.1MB

Download
memory/2192-29-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2192-28-0x00000000008E2000-0x0000000000B72000-memory.dmp

Filesize
2.6MB

Download
memory/4356-6-0x0000000006940000-0x0000000006F58000-memory.dmp

Filesize
6.1MB

Download
memory/4356-8-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/4356-10-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/4356-11-0x0000000006510000-0x0000000006576000-memory.dmp

Filesize
408KB

Download
memory/4356-12-0x00000000071F0000-0x0000000007240000-memory.dmp

Filesize
320KB

Download
memory/4356-13-0x0000000008270000-0x0000000008432000-memory.dmp

Filesize
1.8MB

Download
memory/4356-14-0x0000000008970000-0x0000000008E9C000-memory.dmp

Filesize
5.2MB

Download
memory/4356-9-0x0000000005B60000-0x0000000005B9C000-memory.dmp

Filesize
240KB

Download
memory/4356-26-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4356-7-0x0000000005BD0000-0x0000000005CDA000-memory.dmp

Filesize
1.0MB

Download
memory/4356-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/4356-5-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4356-4-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/4356-3-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/4356-2-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/4356-1-0x0000000000F60000-0x0000000000FB0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing