redline | 7ca61d0c6da0befe6f8dcb57e761d655eaf524c6266425bbf18fcc5a02351f32

General

Target

usfive_20210923-211555.exe
Size

129KB
MD5

f3ece1fccde488f4b34e2e6d8acf8bc6
SHA1

b2388fd305a16419830d2a1f77bd06aeb163a570
SHA256

7ca61d0c6da0befe6f8dcb57e761d655eaf524c6266425bbf18fcc5a02351f32
SHA512

1433bf9963c9092e93bf16ea565596b9b0878c71bc477de8ab6d1c725c099a00467063339271f82ab151f62377701332e076688abb379215124d9be7b8d73939

Score

10^/10

redline raketa infostealer

Malware Config

Extracted

Family

redline

Botnet

raketa

C2

45.144.29.94:61419

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4004-120-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/4004-121-0x000000000041C5D2-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

usfive_20210923-211555.exe

description pid process target process

PID 664 set thread context of 4004 664 usfive_20210923-211555.exe usfive_20210923-211555.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4080 664 WerFault.exe usfive_20210923-211555.exe

description	pid	process	target process
PID 664 set thread context of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe

pid	pid_target	process	target process
4080	664	WerFault.exe	usfive_20210923-211555.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe
4080	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

usfive_20210923-211555.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	664	usfive_20210923-211555.exe
Token: SeRestorePrivilege	4080	WerFault.exe
Token: SeBackupPrivilege	4080	WerFault.exe
Token: SeDebugPrivilege	4080	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

usfive_20210923-211555.exe

description	pid	process	target process
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe
PID 664 wrote to memory of 4004	664	usfive_20210923-211555.exe	usfive_20210923-211555.exe

C:\Users\Admin\AppData\Local\Temp\usfive_20210923-211555.exe
"C:\Users\Admin\AppData\Local\Temp\usfive_20210923-211555.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\usfive_20210923-211555.exe
"C:\Users\Admin\AppData\Local\Temp\usfive_20210923-211555.exe"
2⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 928
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-123-0x0000000005220000-0x0000000005223000-memory.dmp

Filesize
12KB

Download
memory/664-115-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/664-116-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/664-117-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/664-118-0x00000000053B0000-0x00000000058AE000-memory.dmp

Filesize
5.0MB

Download
memory/664-119-0x00000000051D0000-0x00000000051E8000-memory.dmp

Filesize
96KB

Download
memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4004-120-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4004-121-0x000000000041C5D2-mapping.dmp

Download
memory/4004-125-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4004-126-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4004-127-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4004-128-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4004-129-0x0000000005120000-0x0000000005726000-memory.dmp

Filesize
6.0MB

Download
memory/4004-130-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads