redline | c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49

Resubmissions

05-04-2021 09:29

210405-8ga7y7zk36 10

03-04-2021 06:00

210403-gtexn6kycs 10

Analysis

max time kernel
116s
max time network
302s
platform
windows10_x64
resource
win10v20201028
submitted
05-04-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup[1].exe
Size

1.3MB
MD5

0657125b7850a7b5796bf6979da502f0
SHA1

686d1ad201f0706daec7dd9bfa60fd1144a7b876
SHA256

c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49
SHA512

879167e0b34e015e62828151a05b785f3f9b99e2826be73fe9afc4d671dedec19c9994d2481c060e453367885ba16cce0252e7049bdb59c5ee90885f6527e10c

Score

10^/10

redline 010402 infostealer

Malware Config

Extracted

Family

redline

Botnet

010402

194.135.20.72:3214

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4296-14-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral2/memory/4296-15-0x000000000042977E-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4684 set thread context of 4296	4684	Setup[1].exe	79

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4684	Setup[1].exe
4684	Setup[1].exe
4684	Setup[1].exe
4684	Setup[1].exe
4684	Setup[1].exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	Setup[1].exe
Token: SeDebugPrivilege	4296	Setup[1].exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 2924	4684	Setup[1].exe	78
PID 4684 wrote to memory of 2924	4684	Setup[1].exe	78
PID 4684 wrote to memory of 2924	4684	Setup[1].exe	78
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79
PID 4684 wrote to memory of 4296	4684	Setup[1].exe	79

C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
"C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
  "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
  2⤵
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
  "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4296-27-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/4296-26-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/4296-25-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/4296-24-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/4296-23-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/4296-22-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/4296-21-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4296-20-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4296-17-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4296-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4684-8-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/4684-13-0x0000000007F70000-0x0000000007FA1000-memory.dmp

Filesize
196KB

Download
memory/4684-12-0x0000000005A00000-0x0000000005A71000-memory.dmp

Filesize
452KB

Download
memory/4684-11-0x0000000004CB0000-0x0000000004CBC000-memory.dmp

Filesize
48KB

Download
memory/4684-10-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4684-9-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4684-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4684-7-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4684-6-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4684-5-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4684-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download