redline | 27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b

General

Target

27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
Size

304KB
MD5

a9a37926c6d3ab63e00b12760fae1e73
SHA1

944d6044e111bbad742d06852c3ed2945dc9e051
SHA256

27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
SHA512

575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97
SSDEEP

3072:aq6EgY6iQrUjGk14lwPK4qw9LwwPITAztASKwlcZqf7D34leqiOLibBOh:ZqY6iwwPIknATAZA+lcZqf7DIvL

Score

10^/10

redline 25072023 credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

25072023

C2

185.215.113.67:40960

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1580-1-0x0000000000A30000-0x0000000000A82000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

pid	process
1580	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
1580	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
1580	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
1580	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
1580	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

description pid process

Token: SeDebugPrivilege 1580 27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

description	pid	process
Token: SeDebugPrivilege	1580	27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe

C:\Users\Admin\AppData\Local\Temp\27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe
"C:\Users\Admin\AppData\Local\Temp\27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp9A6B.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/1580-23-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/1580-3-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/1580-27-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/1580-28-0x0000000006BE0000-0x0000000006BF2000-memory.dmp

Filesize
72KB

Download
memory/1580-5-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1580-1-0x0000000000A30000-0x0000000000A82000-memory.dmp

Filesize
328KB

Download
memory/1580-22-0x00000000060D0000-0x0000000006146000-memory.dmp

Filesize
472KB

Download
memory/1580-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/1580-38-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1580-2-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/1580-4-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/1580-29-0x0000000006C40000-0x0000000006C7C000-memory.dmp

Filesize
240KB

Download
memory/1580-30-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

Filesize
304KB

Download
memory/1580-31-0x0000000006EF0000-0x0000000006F56000-memory.dmp

Filesize
408KB

Download
memory/1580-34-0x0000000007100000-0x0000000007150000-memory.dmp

Filesize
320KB

Download
memory/1580-35-0x0000000007E20000-0x0000000007FE2000-memory.dmp

Filesize
1.8MB

Download
memory/1580-36-0x0000000008B20000-0x000000000904C000-memory.dmp

Filesize
5.2MB

Download
memory/1580-26-0x0000000007150000-0x0000000007768000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads