redline | c4a2c8397cfa4f7f16a317aad541b6c48e35c4420249f702b2c6f01faf66ef61

General

Target

2884a1b8944cf25dad7dda0005b1995e.exe
Size

714KB
MD5

2884a1b8944cf25dad7dda0005b1995e
SHA1

b0df655586ec0e4ef320c609053b1361c12a3084
SHA256

c4a2c8397cfa4f7f16a317aad541b6c48e35c4420249f702b2c6f01faf66ef61
SHA512

f86f5b06c467f99ca231b45bc6d444bea03107c6c3cc133dacc3033a435e92de4b9f1a170bcae55cf493e18ff80e3f1b27c58614ef1831709a087fab9d1ef789

Score

10^/10

redline coreentity infostealer rezer0

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/1400-7-0x0000000008AE0000-0x0000000008AE2000-memory.dmp	coreentity

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4036-9-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral2/memory/4036-10-0x000000000042A3AE-mapping.dmp	family_redline

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/1400-8-0x0000000008D00000-0x0000000008D31000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

2884a1b8944cf25dad7dda0005b1995e.exe

description pid process target process

PID 1400 set thread context of 4036 1400 2884a1b8944cf25dad7dda0005b1995e.exe RegSvcs.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2868 taskkill.exe

description	pid	process	target process
PID 1400 set thread context of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe

pid	process
2868	taskkill.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

2884a1b8944cf25dad7dda0005b1995e.exeRegSvcs.exe

pid	process
1400	2884a1b8944cf25dad7dda0005b1995e.exe
1400	2884a1b8944cf25dad7dda0005b1995e.exe
1400	2884a1b8944cf25dad7dda0005b1995e.exe
1400	2884a1b8944cf25dad7dda0005b1995e.exe
1400	2884a1b8944cf25dad7dda0005b1995e.exe
1400	2884a1b8944cf25dad7dda0005b1995e.exe
4036	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2884a1b8944cf25dad7dda0005b1995e.exeRegSvcs.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1400	2884a1b8944cf25dad7dda0005b1995e.exe
Token: SeDebugPrivilege	4036	RegSvcs.exe
Token: SeDebugPrivilege	2868	taskkill.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

2884a1b8944cf25dad7dda0005b1995e.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 1300	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1300	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1300	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1324	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1324	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1324	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1500	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1500	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 1500	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 1400 wrote to memory of 4036	1400	2884a1b8944cf25dad7dda0005b1995e.exe	RegSvcs.exe
PID 4036 wrote to memory of 3356	4036	RegSvcs.exe	cmd.exe
PID 4036 wrote to memory of 3356	4036	RegSvcs.exe	cmd.exe
PID 4036 wrote to memory of 3356	4036	RegSvcs.exe	cmd.exe
PID 3356 wrote to memory of 2868	3356	cmd.exe	taskkill.exe
PID 3356 wrote to memory of 2868	3356	cmd.exe	taskkill.exe
PID 3356 wrote to memory of 2868	3356	cmd.exe	taskkill.exe
PID 3356 wrote to memory of 2932	3356	cmd.exe	choice.exe
PID 3356 wrote to memory of 2932	3356	cmd.exe	choice.exe
PID 3356 wrote to memory of 2932	3356	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\2884a1b8944cf25dad7dda0005b1995e.exe
"C:\Users\Admin\AppData\Local\Temp\2884a1b8944cf25dad7dda0005b1995e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 4036 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 4036
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-1-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1400-3-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/1400-4-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1400-5-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1400-6-0x0000000008A40000-0x0000000008A41000-memory.dmp

Filesize
4KB

Download
memory/1400-7-0x0000000008AE0000-0x0000000008AE2000-memory.dmp

Filesize
8KB

Download
memory/1400-8-0x0000000008D00000-0x0000000008D31000-memory.dmp

Filesize
196KB

Download
memory/1400-0-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-21-0x0000000000000000-mapping.dmp

Download
memory/2932-22-0x0000000000000000-mapping.dmp

Download
memory/3356-20-0x0000000000000000-mapping.dmp

Download
memory/4036-11-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4036-15-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/4036-16-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/4036-17-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/4036-18-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/4036-19-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/4036-14-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/4036-10-0x000000000042A3AE-mapping.dmp

Download
memory/4036-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads