Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
21-03-2022 06:42
Static task
static1
Behavioral task
behavioral1
Sample
352-215-0x0000000000FE0000-0x000000000111A000-memory.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
352-215-0x0000000000FE0000-0x000000000111A000-memory.exe
Resource
win10v2004-20220310-en
General
-
Target
352-215-0x0000000000FE0000-0x000000000111A000-memory.exe
-
Size
1.2MB
-
MD5
71f24a064cbf418f0eafa989cc08df8b
-
SHA1
f1bd0876dc8ae7b61dc990d3df02c89e2a000015
-
SHA256
cb2e12a627439114e3e5714e9746361739fb4c9f3dc8d9ee1207cea779dbc6ab
-
SHA512
e7be544287848ad0ff57ce8692795a706976e4f357d64a364bdfe221ecd9c1e341875e1b9d679e2ed7df60cb5262918c1da7c4c45e875669a1f4f768394e293d
Malware Config
Extracted
redline
fullwork1488
91.243.32.165:41754
-
auth_value
a4384deb7b09a3c1c21c6447924c2d9a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2076-134-0x0000000000AF0000-0x0000000000C2A000-memory.dmp family_redline behavioral2/memory/2076-146-0x0000000000AF0000-0x0000000000C2A000-memory.dmp family_redline -
Drops file in Windows directory 56 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITE484.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT6550.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITDBA7.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITE4A4.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT55F7.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITBBCB.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITC4F8.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITD54B.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\2cd32031792245e69c7777193005916861cbbe94 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BIT5D7D.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BITF5C2.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\daNJ9YVgpN191GzoPynRDpTEDO9uUytOK6Ln7xcN8To= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BITF650.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT5732.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BITF498.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\c3ca3df6b0660cc02fa0c60992eb1164c186b223 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITBCE6.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITCBB0.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITD23D.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0 svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\fbaaae7103d0f0a1303a40d280aa18bafcd08dcf svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITED42.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITEDD0.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITBD35.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT56A4.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT5E39.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITD0C3.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITE7B3.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BITF40A.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\BITFD47.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITE415.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITE745.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\BITFC7B.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITCC0F.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITD141.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITD5B9.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BITD1FD.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BIT6493.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\6feeefdf55ac33c2cb46a25670952111\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BITDB39.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITE349.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BIT5703.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITBEDC.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITC48A.tmp svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo= svchost.exe File opened for modification C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\v9GXr9MSfUt92b0dEpOsHH2H0TwcnvKmtIW8g3ovM= svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\352-215-0x0000000000FE0000-0x000000000111A000-memory.exe"C:\Users\Admin\AppData\Local\Temp\352-215-0x0000000000FE0000-0x000000000111A000-memory.exe"1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1564-142-0x000001D206DF0000-0x000001D206DF4000-memory.dmpFilesize
16KB
-
memory/1564-149-0x000001D206F10000-0x000001D206F14000-memory.dmpFilesize
16KB
-
memory/1564-145-0x000001D206DF0000-0x000001D206DF1000-memory.dmpFilesize
4KB
-
memory/1564-144-0x000001D206E00000-0x000001D206E04000-memory.dmpFilesize
16KB
-
memory/1564-143-0x000001D206DF0000-0x000001D206DF4000-memory.dmpFilesize
16KB
-
memory/1564-139-0x000001D204460000-0x000001D204470000-memory.dmpFilesize
64KB
-
memory/1564-140-0x000001D2044C0000-0x000001D2044D0000-memory.dmpFilesize
64KB
-
memory/1564-141-0x000001D206A60000-0x000001D206A64000-memory.dmpFilesize
16KB
-
memory/2076-138-0x00000000052A0000-0x00000000052DC000-memory.dmpFilesize
240KB
-
memory/2076-134-0x0000000000AF0000-0x0000000000C2A000-memory.dmpFilesize
1.2MB
-
memory/2076-137-0x0000000005370000-0x000000000547A000-memory.dmpFilesize
1.0MB
-
memory/2076-136-0x0000000002DA0000-0x0000000002DB2000-memory.dmpFilesize
72KB
-
memory/2076-146-0x0000000000AF0000-0x0000000000C2A000-memory.dmpFilesize
1.2MB
-
memory/2076-147-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/2076-148-0x0000000005260000-0x0000000005878000-memory.dmpFilesize
6.1MB
-
memory/2076-135-0x0000000005880000-0x0000000005E98000-memory.dmpFilesize
6.1MB