Overview

overview

10

Static

static

a35219fe61...b8.exe

windows7_x64

10

a35219fe61...b8.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    18-05-2021 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a35219fe6193aeef80d635355b36acb8.exe

  • Size

    591KB

  • MD5

    a35219fe6193aeef80d635355b36acb8

  • SHA1

    8939a982a71466ddb9cf55ffef8461afc9035694

  • SHA256

    b9c886eb7a2ac9a654c0bf3639c98125b14f5ae64cf26d36a26edbdb09e4ec3f

  • SHA512

    755a56f2dc66a1361d20d22253a70fa13c3d3a3a7bcccb25ef68e1028657f3acc5cfb14c88ea71d23c33f841ef146a9e9290d014a61b98c4d2c77f0528495115

Score
10/10
redlinetoolagilenetinfostealer

Malware Config

Extracted

Family

redline

Botnet

TOOL

C2

45.140.146.214:20498

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a35219fe6193aeef80d635355b36acb8.exe
    "C:\Users\Admin\AppData\Local\Temp\a35219fe6193aeef80d635355b36acb8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Users\Admin\AppData\Local\Temp\a35219fe6193aeef80d635355b36acb8.exe
      C:\Users\Admin\AppData\Local\Temp\a35219fe6193aeef80d635355b36acb8.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/212-126-0x0000000005220000-0x0000000005221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-125-0x0000000005770000-0x0000000005771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-130-0x0000000005530000-0x0000000005531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-129-0x00000000052C0000-0x00000000052C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-128-0x0000000005160000-0x0000000005766000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/212-122-0x0000000000416082-mapping.dmp

    Download

  • memory/212-127-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/212-121-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/656-116-0x0000000005740000-0x0000000005741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/656-114-0x0000000000900000-0x0000000000901000-memory.dmp

    Filesize

    4KB

    Download

  • memory/656-120-0x0000000005210000-0x000000000521A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/656-119-0x00000000051A0000-0x00000000051A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/656-118-0x0000000005240000-0x000000000573E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/656-117-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download