redline | f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262

General

Target

f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
Size

304KB
MD5

1b099f749669dfe00b4177988018fc40
SHA1

c007e18cbe95b286b146531a01dde05127ebd747
SHA256

f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262
SHA512

87dc26b28cb2c43c788d9ae9ef384b69be52b27500bc23cdc6acc8567e51705d99ef942cdc0b23fa6a7c84d4ddaaa8f05865a8e7bb4ad943ba5deabf7a4105fd
SSDEEP

3072:Oq6EgY6iwrUjdy68KwPMCqJRn7cTAVtAaK0FcZqf7D341eqiOLibBOU:1qY6ihwPIzn7cTAbAqFcZqf7DIfL

Score

10^/10

redline credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

C2

185.215.113.9:12617

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1168-1-0x0000000000A90000-0x0000000000AE2000-memory.dmp	family_redline

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

pid	process
1168	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
1168	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
1168	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
1168	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
1168	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

description pid process

Token: SeDebugPrivilege 1168 f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

description	pid	process
Token: SeDebugPrivilege	1168	f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe

C:\Users\Admin\AppData\Local\Temp\f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe
"C:\Users\Admin\AppData\Local\Temp\f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp3498.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
memory/1168-21-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/1168-3-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/1168-25-0x0000000006CA0000-0x0000000006DAA000-memory.dmp

Filesize
1.0MB

Download
memory/1168-26-0x0000000006BE0000-0x0000000006BF2000-memory.dmp

Filesize
72KB

Download
memory/1168-5-0x0000000005760000-0x000000000576A000-memory.dmp

Filesize
40KB

Download
memory/1168-1-0x0000000000A90000-0x0000000000AE2000-memory.dmp

Filesize
328KB

Download
memory/1168-20-0x0000000006090000-0x0000000006106000-memory.dmp

Filesize
472KB

Download
memory/1168-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/1168-36-0x0000000074810000-0x0000000074FC1000-memory.dmp

Filesize
7.7MB

Download
memory/1168-2-0x0000000005AE0000-0x0000000006086000-memory.dmp

Filesize
5.6MB

Download
memory/1168-4-0x0000000074810000-0x0000000074FC1000-memory.dmp

Filesize
7.7MB

Download
memory/1168-27-0x0000000006C40000-0x0000000006C7C000-memory.dmp

Filesize
240KB

Download
memory/1168-28-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

Filesize
304KB

Download
memory/1168-29-0x0000000006F00000-0x0000000006F66000-memory.dmp

Filesize
408KB

Download
memory/1168-32-0x0000000007970000-0x00000000079C0000-memory.dmp

Filesize
320KB

Download
memory/1168-33-0x0000000008000000-0x00000000081C2000-memory.dmp

Filesize
1.8MB

Download
memory/1168-34-0x0000000008F90000-0x00000000094BC000-memory.dmp

Filesize
5.2MB

Download
memory/1168-24-0x0000000007150000-0x0000000007768000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads