redline | 301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26

General

Target

954b39f45379c530b7f659d697c29ac7.exe
Size

487KB
MD5

954b39f45379c530b7f659d697c29ac7
SHA1

9fa7dcb754041cc878f6ca3a71581a04e3b23427
SHA256

301a510700f2ebccd25fc5cc6c579ead2196b957ed81aa3eda29c7bc40887c26
SHA512

aecda633e082d00a5d9989aad8e20e300372efdcdbe4f48991b7fb7f70079d7465f420c278167edf25656966c44ac03ab72c3f1aaa18962771bee63364e7a6d8

Score

10^/10

redline v113 agilenet infostealer

Malware Config

Extracted

Family

redline

Botnet

v113

C2

45.150.67.141:8054

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-64-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline
behavioral1/memory/1668-65-0x00000000004163C6-mapping.dmp	family_redline
behavioral1/memory/1668-66-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1056-63-0x0000000000540000-0x000000000054B000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

954b39f45379c530b7f659d697c29ac7.exe

description pid process target process

PID 1056 set thread context of 1668 1056 954b39f45379c530b7f659d697c29ac7.exe AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

954b39f45379c530b7f659d697c29ac7.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1056 954b39f45379c530b7f659d697c29ac7.exe
Token: SeDebugPrivilege 1668 AddInProcess32.exe

description	pid	process	target process
PID 1056 set thread context of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1056	954b39f45379c530b7f659d697c29ac7.exe
Token: SeDebugPrivilege	1668	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

954b39f45379c530b7f659d697c29ac7.exe

description	pid	process	target process
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe
PID 1056 wrote to memory of 1668	1056	954b39f45379c530b7f659d697c29ac7.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\954b39f45379c530b7f659d697c29ac7.exe
"C:\Users\Admin\AppData\Local\Temp\954b39f45379c530b7f659d697c29ac7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-60-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1056-62-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1056-63-0x0000000000540000-0x000000000054B000-memory.dmp

Filesize
44KB

Download
memory/1668-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1668-65-0x00000000004163C6-mapping.dmp

Download
memory/1668-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1668-68-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads