Analysis
-
max time kernel
142s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 18:52
Behavioral task
behavioral1
Sample
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
Resource
win10v2004-20220414-en
General
-
Target
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
-
Size
200KB
-
MD5
038ca458ecc3d2731f09dc219644f047
-
SHA1
2ce33af6fb9d00344c524af3192deb5371c41594
-
SHA256
4ae2c9fe2e06741ddcb1fc6112fc834011e9ac054d851a5a3a8301c5c1c4bf58
-
SHA512
5f6e890a296fdef00088270f2c2ff26461ac37e5ffa2c354db52d5a955fccb40c04295d594607166c38d20cb73b283dfa4ca849ede759899d410f8790c5c1da8
Malware Config
Extracted
redline
$
91.242.229.130:26402
-
auth_value
81039c9bd8ac8c604b05080ab4a86168
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2116-130-0x0000000000D30000-0x0000000000D62000-memory.dmp family_redline -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/2116-130-0x0000000000D30000-0x0000000000D62000-memory.dmp net_reactor -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exedescription pid process Token: SeDebugPrivilege 2116 1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2116-130-0x0000000000D30000-0x0000000000D62000-memory.dmpFilesize
200KB