redline | b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb

General

Target

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
Size

657KB
MD5

6b92f239cfb02c043c8e97bbffc806d1
SHA1

1d09bd8954c9dec8002711813d897d3e9776182b
SHA256

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb
SHA512

4ecb22d3c233451312b74c2216abd506fc5a5a24ea66d18329f2f564bbc8124e16007ea090d400cd287f28cc5753cc8f4746042bc7d20f3d18217696bc0444a4

Score

10^/10

redline roddy infostealer

Malware Config

Extracted

Family

redline

Botnet

roddy

C2

marioruntime.top:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3140-136-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/2504-130-0x0000000000130000-0x00000000001DC000-memory.dmp	coreccc

Suspicious use of SetThreadContext 1 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

description	pid	process	target process
PID 2504 set thread context of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4512 taskkill.exe

pid	process
4512	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

pid	process
2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exeb093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
Token: SeDebugPrivilege	3140	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
Token: SeDebugPrivilege	4512	taskkill.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exeb093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.execmd.exe

description	pid	process	target process
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 2504 wrote to memory of 3140	2504	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
PID 3140 wrote to memory of 4372	3140	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 3140 wrote to memory of 4372	3140	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 3140 wrote to memory of 4372	3140	b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe	cmd.exe
PID 4372 wrote to memory of 4512	4372	cmd.exe	taskkill.exe
PID 4372 wrote to memory of 4512	4372	cmd.exe	taskkill.exe
PID 4372 wrote to memory of 4512	4372	cmd.exe	taskkill.exe
PID 4372 wrote to memory of 4928	4372	cmd.exe	choice.exe
PID 4372 wrote to memory of 4928	4372	cmd.exe	choice.exe
PID 4372 wrote to memory of 4928	4372	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
"C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 3140 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\b093aaef126ed498ce1312a782794d1796b3ec334c18c71aa34f0f26cef148eb.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4928

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3140
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2504-130-0x0000000000130000-0x00000000001DC000-memory.dmp

Filesize
688KB

Download
memory/2504-131-0x00000000053F0000-0x0000000005994000-memory.dmp

Filesize
5.6MB

Download
memory/2504-132-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/2504-133-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/2504-134-0x0000000008530000-0x00000000085CC000-memory.dmp

Filesize
624KB

Download
memory/3140-135-0x0000000000000000-mapping.dmp

Download
memory/3140-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3140-137-0x00000000060A0000-0x00000000066B8000-memory.dmp

Filesize
6.1MB

Download
memory/3140-138-0x00000000059C0000-0x00000000059D2000-memory.dmp

Filesize
72KB

Download
memory/3140-139-0x0000000005A20000-0x0000000005A5C000-memory.dmp

Filesize
240KB

Download
memory/3140-140-0x0000000005CD0000-0x0000000005DDA000-memory.dmp

Filesize
1.0MB

Download
memory/4372-141-0x0000000000000000-mapping.dmp

Download
memory/4512-142-0x0000000000000000-mapping.dmp

Download
memory/4928-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads