Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 12:59
General
-
Target
Umbrella36.5.exe
-
Size
4.6MB
-
MD5
ec04b75101fb19084dc84b466e96ff3b
-
SHA1
f8724452d253486c8acd6c4e43d3f8e25c6aaea4
-
SHA256
1df5e765a070d02080f3a8be3bcd756b20ea5dbb1f50c337b371145e41f05383
-
SHA512
c76f717eb597306f310465b390b10ad0c166ca1beae4ca7c5603e42703b587ec63931c524753307ad6279585cf5eb193053eab5b789ec975844b6083cfcb0926
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
832304211
C2
94.26.248.120:63731
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Umbrella36.5.exe"C:\Users\Admin\AppData\Local\Temp\Umbrella36.5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 2442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3648-135-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/3648-133-0x0000000008F80000-0x0000000008F81000-memory.dmpFilesize
4KB
-
memory/3648-127-0x000000000457B23A-mapping.dmp
-
memory/3648-138-0x0000000008A90000-0x0000000008A91000-memory.dmpFilesize
4KB
-
memory/3648-129-0x00000000041B0000-0x00000000041B1000-memory.dmpFilesize
4KB
-
memory/3648-136-0x0000000008A50000-0x0000000008A51000-memory.dmpFilesize
4KB
-
memory/3648-134-0x00000000089C0000-0x00000000089C1000-memory.dmpFilesize
4KB
-
memory/3648-128-0x00000000041B0000-0x00000000041B1000-memory.dmpFilesize
4KB
-
memory/3648-139-0x00000000041B0000-0x00000000041B1000-memory.dmpFilesize
4KB
-
memory/3648-137-0x0000000008970000-0x0000000008F76000-memory.dmpFilesize
6.0MB
-
memory/3648-122-0x0000000004560000-0x0000000004582000-memory.dmpFilesize
136KB
-
memory/3648-130-0x00000000041B0000-0x00000000041B1000-memory.dmpFilesize
4KB
-
memory/3648-131-0x0000000004560000-0x0000000004561000-memory.dmpFilesize
4KB
-
memory/3808-116-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3808-121-0x0000000000230000-0x00000000006C8000-memory.dmpFilesize
4.6MB
-
memory/3808-115-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/3808-120-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/3808-119-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/3808-118-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/3808-117-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB