Analysis

  • max time kernel
    83s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-05-2022 08:13

General

  • Target

    1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe

  • Size

    128KB

  • MD5

    77b49c81d784041d22770dbfeba1c7a8

  • SHA1

    226bbfa4106903b2abd5258570a50015735470dd

  • SHA256

    c0c4c8b30747f29c680f7ce6dac8440f526cdddcb800ef69a6c2cd44077af2dc

  • SHA512

    e2e3869e577372f911a03eb36012acf708dc19f4f8592e99a478cfc11791980e5465bc222ed21e873d49193cb2aae30e3477d4da4269512733cda5d2ab2b032d

Malware Config

Extracted

Family

redline

Botnet

Install

C2

176.10.119.117:27038

Attributes
  • auth_value

    701b6467f584b2d5c52fa31ecce6761d

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 1 IoCs
  • Program crash 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\1212-65-0x00000000004A0000-0x00000000004C0000-memory.exe"
    1⤵
      PID:4328
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 772
        2⤵
        • Program crash
        PID:3036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4328 -ip 4328
      1⤵
        PID:4392

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4328-130-0x0000000000B00000-0x0000000000B20000-memory.dmp
        Filesize

        128KB