redline | a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e

General

Target

a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
Size

11KB
MD5

038bd2ee88ff4c4990fc6328229b7702
SHA1

7c80698a230be3c6733ded3ee7622fe356c3cb7d
SHA256

a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e
SHA512

6dac9efbecbd525129ce56d9f0f620e101afca8e91e23c48b6f377711d3a9b97fac1d38f8de8c57b73e309b57ebaac7bf152b207c166c0a6ce3eac2b49cac03e

Score

10^/10

redline ayrelia1_installs infostealer suricata

Malware Config

Extracted

Family

redline

Botnet

Ayrelia1_installs

C2

77.83.175.169:11490

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/580-120-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/580-121-0x000000000041A92A-mapping.dmp	family_redline
behavioral1/memory/580-129-0x0000000004E30000-0x0000000005436000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

Processes:

a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

description	pid	process	target process
PID 4796 set thread context of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

description pid process

Token: SeDebugPrivilege 4796 a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

description	pid	process
Token: SeDebugPrivilege	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

description	pid	process	target process
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
PID 4796 wrote to memory of 580	4796	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe	a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe

C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
"C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe
"C:\Users\Admin\AppData\Local\Temp\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe"
2⤵
PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a9963528ae516477d9441d7ed9e9b28ea33c055661a8cafa4b6d541e14317e7e.exe.log
MD5
f4bb5bd0b2282cf9cada18a90a50971a

SHA1
c3954cfd8c8341a571eb49feb3ebf36f8ce46e43

SHA256
cc64510ae8390b72dcdcbafb854e064821bfcebc4d8fa5bac960331fe915485d

SHA512
396f5370479d685cc115612d5a42bccffe3d48f991d17c848aa758af64c177b3e30eaaa1d335422c8773a789fdc1236ee47835fa3b5235632c0e668dd31543a4

Download Submit
memory/580-129-0x0000000004E30000-0x0000000005436000-memory.dmp

Filesize
6.0MB

Download
memory/580-128-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/580-133-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/580-132-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/580-126-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/580-121-0x000000000041A92A-mapping.dmp

Download
memory/580-131-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/580-130-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/580-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/580-127-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/580-125-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/4796-114-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4796-116-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/4796-117-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4796-119-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/4796-118-0x0000000006710000-0x000000000675E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads