redline | b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb

General

Target

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
Size

657KB
MD5

6b92f239cfb02c043c8e97bbffc806d1
SHA1

1d09bd8954c9dec8002711813d897d3e9776182b
SHA256

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb
SHA512

4ecb22d3c233451312b74c2216abd506fc5a5a24ea66d18329f2f564bbc8124e16007ea090d400cd287f28cc5753cc8f4746042bc7d20f3d18217696bc0444a4

Score

10^/10

redline roddy coreentity infostealer rezer0

Malware Config

Extracted

Family

redline

Botnet

roddy

C2

marioruntime.top:80

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/1904-57-0x0000000000450000-0x0000000000458000-memory.dmp	coreentity

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-62-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1956-63-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1956-64-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1956-65-0x000000000042A2CE-mapping.dmp	family_redline
behavioral1/memory/1956-67-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral1/memory/1956-69-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1904-54-0x0000000000EE0000-0x0000000000F8C000-memory.dmp	coreccc

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1904-58-0x0000000000CF0000-0x0000000000D26000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

description	pid	process	target process
PID 1904 set thread context of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

324 taskkill.exe

pid	process
324	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

pid	process
1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exeb093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
Token: SeDebugPrivilege	1956	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
Token: SeDebugPrivilege	324	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exeb093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.execmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1904 wrote to memory of 1956	1904	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 1956 wrote to memory of 544	1956	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 1956 wrote to memory of 544	1956	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 1956 wrote to memory of 544	1956	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 1956 wrote to memory of 544	1956	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 544 wrote to memory of 324	544	cmd.exe	taskkill.exe
PID 544 wrote to memory of 324	544	cmd.exe	taskkill.exe
PID 544 wrote to memory of 324	544	cmd.exe	taskkill.exe
PID 544 wrote to memory of 324	544	cmd.exe	taskkill.exe
PID 544 wrote to memory of 1264	544	cmd.exe	choice.exe
PID 544 wrote to memory of 1264	544	cmd.exe	choice.exe
PID 544 wrote to memory of 1264	544	cmd.exe	choice.exe
PID 544 wrote to memory of 1264	544	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
"C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1956 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1956
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/324-72-0x0000000000000000-mapping.dmp

Download
memory/544-71-0x0000000000000000-mapping.dmp

Download
memory/1264-73-0x0000000000000000-mapping.dmp

Download
memory/1904-54-0x0000000000EE0000-0x0000000000F8C000-memory.dmp

Filesize
688KB

Download
memory/1904-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/1904-56-0x0000000000560000-0x000000000059E000-memory.dmp

Filesize
248KB

Download
memory/1904-57-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/1904-58-0x0000000000CF0000-0x0000000000D26000-memory.dmp

Filesize
216KB

Download
memory/1956-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-65-0x000000000042A2CE-mapping.dmp

Download
memory/1956-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-60-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads