Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    21-03-2022 06:42

General

  • Target

    352-215-0x0000000000FE0000-0x000000000111A000-memory.exe

  • Size

    1.2MB

  • MD5

    71f24a064cbf418f0eafa989cc08df8b

  • SHA1

    f1bd0876dc8ae7b61dc990d3df02c89e2a000015

  • SHA256

    cb2e12a627439114e3e5714e9746361739fb4c9f3dc8d9ee1207cea779dbc6ab

  • SHA512

    e7be544287848ad0ff57ce8692795a706976e4f357d64a364bdfe221ecd9c1e341875e1b9d679e2ed7df60cb5262918c1da7c4c45e875669a1f4f768394e293d

Malware Config

Extracted

Family

redline

Botnet

fullwork1488

C2

91.243.32.165:41754

Attributes
  • auth_value

    a4384deb7b09a3c1c21c6447924c2d9a

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • Drops file in Windows directory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\352-215-0x0000000000FE0000-0x000000000111A000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\352-215-0x0000000000FE0000-0x000000000111A000-memory.exe"
    1⤵
      PID:2076
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Drops file in Windows directory
      PID:1564

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1564-142-0x000001D206DF0000-0x000001D206DF4000-memory.dmp
      Filesize

      16KB

    • memory/1564-149-0x000001D206F10000-0x000001D206F14000-memory.dmp
      Filesize

      16KB

    • memory/1564-145-0x000001D206DF0000-0x000001D206DF1000-memory.dmp
      Filesize

      4KB

    • memory/1564-144-0x000001D206E00000-0x000001D206E04000-memory.dmp
      Filesize

      16KB

    • memory/1564-143-0x000001D206DF0000-0x000001D206DF4000-memory.dmp
      Filesize

      16KB

    • memory/1564-139-0x000001D204460000-0x000001D204470000-memory.dmp
      Filesize

      64KB

    • memory/1564-140-0x000001D2044C0000-0x000001D2044D0000-memory.dmp
      Filesize

      64KB

    • memory/1564-141-0x000001D206A60000-0x000001D206A64000-memory.dmp
      Filesize

      16KB

    • memory/2076-138-0x00000000052A0000-0x00000000052DC000-memory.dmp
      Filesize

      240KB

    • memory/2076-134-0x0000000000AF0000-0x0000000000C2A000-memory.dmp
      Filesize

      1.2MB

    • memory/2076-137-0x0000000005370000-0x000000000547A000-memory.dmp
      Filesize

      1.0MB

    • memory/2076-136-0x0000000002DA0000-0x0000000002DB2000-memory.dmp
      Filesize

      72KB

    • memory/2076-146-0x0000000000AF0000-0x0000000000C2A000-memory.dmp
      Filesize

      1.2MB

    • memory/2076-147-0x0000000074440000-0x0000000074BF0000-memory.dmp
      Filesize

      7.7MB

    • memory/2076-148-0x0000000005260000-0x0000000005878000-memory.dmp
      Filesize

      6.1MB

    • memory/2076-135-0x0000000005880000-0x0000000005E98000-memory.dmp
      Filesize

      6.1MB