redline | 39ced9ce7f72d80de250324b40971e5dace016a0352e4ab8e80e02b227c6e63d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build.exe
Size

300KB
MD5

b37933f48d0b61450c6729cae4792eb1
SHA1

3845acf08857bba33c954ce4756ae1e6ca9849e0
SHA256

39ced9ce7f72d80de250324b40971e5dace016a0352e4ab8e80e02b227c6e63d
SHA512

632d74e4997e5d2b9b03be1588939ec7ae0c58af96039ff62380f6d6c21d6325a8612685127120e5858582adc7a3f54e27c53e47b5777298aa09b7404f2384b7
SSDEEP

3072:icZqf7D34fp/0+mAckyQE1Q0glNvB1fA0PuTVAtkxzZ3R0eqiOL2bBOA:icZqf7DIxnmyTB1fA0GTV8k78L

Score

10^/10

redline 1v discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

195.177.92.88:1912

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2816-1-0x0000000000D40000-0x0000000000D92000-memory.dmp	family_redline

Redline family
redline
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2816	build.exe
2816	build.exe
2816	build.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	build.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2816-1-0x0000000000D40000-0x0000000000D92000-memory.dmp

Filesize
328KB

Download
memory/2816-2-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2816-3-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2816-4-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2816-5-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download