redline | 4ae2c9fe2e06741ddcb1fc6112fc834011e9ac054d851a5a3a8301c5c1c4bf58 | Triage

Analysis

max time kernel
142s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 18:52

Sharing

Report Analysis Logs

General

Target

1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
Size

200KB
MD5

038ca458ecc3d2731f09dc219644f047
SHA1

2ce33af6fb9d00344c524af3192deb5371c41594
SHA256

4ae2c9fe2e06741ddcb1fc6112fc834011e9ac054d851a5a3a8301c5c1c4bf58
SHA512

5f6e890a296fdef00088270f2c2ff26461ac37e5ffa2c354db52d5a955fccb40c04295d594607166c38d20cb73b283dfa4ca849ede759899d410f8790c5c1da8

Score

10^/10

redline $infostealer

Malware Config

Extracted

Family

redline

Botnet

$

C2

91.242.229.130:26402

Attributes

auth_value
81039c9bd8ac8c604b05080ab4a86168

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2116-130-0x0000000000D30000-0x0000000000D62000-memory.dmp	family_redline

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2116-130-0x0000000000D30000-0x0000000000D62000-memory.dmp	net_reactor

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe

description pid process

Token: SeDebugPrivilege 2116 1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe

C:\Users\Admin\AppData\Local\Temp\1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1684-55-0x0000000001ED0000-0x0000000001F02000-memory.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-130-0x0000000000D30000-0x0000000000D62000-memory.dmp

Filesize
200KB

Download