RedLine is an information stealer which operates on a MaaS (malware-as-a-service) model. This stealer is available on underground forums, priced according to users’ needs. The loader replaces the content of the Regsvcs.exe process, which is spawned in the suspended state. Following that, RedLine PE gets mapped in the Regsvcs process and thread contexts are manipulated to point to the entry point of the stealer, thus allowing the malware to masquerade as a legitimate process on the system.
INDUSTRY: Crypto
MALWARE FAMILY: RedLine
ATT&CK IDS: T1113 - Screen Capture, T1059 - Command and Scripting Interpreter, T1140 - Deobfuscate/Decode Files or Information, T1036 - Masquerading, T1055 - Process Injection, T1105 - Ingress Tool Transfer, T1083 - File and Directory Discovery, T1047 - Windows Management Instrumentation, T1016 - System Network Configuration Discovery, T1102 - Web Service, T1055.012 - Process Hollowing
Read More:
Comments