redline | 2214bdc78b558176a17484bcc02079a5470e0b49073d50d19b522d67dc4396e3

Analysis

max time kernel
149s
max time network
158s
platform
windows10_x64
resource
win10v20210410
submitted
30-07-2021 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Size

218KB
MD5

760ae5e7793de36ae8159fc128687577
SHA1

0b1e5bd4e2cf0888d66350ecd4bcecf7f950acee
SHA256

36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0
SHA512

ca9d592d86feecafb557ae5422eff45020863b38fc5c36ed32c9381fd2f154a0125f77ed76cc1f1ea3aef04e4874ca36bc2da6d1f634f1ad6d4dfbc7a64f9f30

Score

10^/10

redline ytmaloy6 agilenet infostealer

Malware Config

Extracted

Family

redline

Botnet

ytmaloy6

46.8.19.196:53773

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral9/memory/3408-120-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral9/memory/3408-121-0x0000000000417E2A-mapping.dmp	family_redline

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral9/memory/3256-117-0x0000000002710000-0x0000000002718000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe

description	pid	process	target process
PID 3256 set thread context of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe

description	pid	process
Token: SeDebugPrivilege	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Token: SeDebugPrivilege	3408	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe

description	pid	process	target process
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
PID 3256 wrote to memory of 3408	3256	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe	36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe

C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
"C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe.log
MD5
7438b57da35c10c478469635b79e33e1

SHA1
5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5

SHA256
b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70

SHA512
5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a

Download Submit
memory/3256-114-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3256-116-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3256-117-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/3256-118-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3256-119-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3408-121-0x0000000000417E2A-mapping.dmp

Download
memory/3408-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3408-125-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3408-126-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3408-127-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3408-128-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/3408-129-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3408-130-0x0000000004C50000-0x0000000005256000-memory.dmp

Filesize
6.0MB

Download