redline | 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09

General

Target

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Size

798KB
MD5

4c274d6a3b4f39556ecd377da5492982
SHA1

559fcd5cfcb3477571c8a36e451375e2b0405754
SHA256

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09
SHA512

8433324ac1a4b0ce7fd8f096a889d3b525fe80dd8faadc23439b3fe6be6d100e76c7cfc3749360b57455a50faea5a8670e6ddfb354599dca9b6b8577d8ccddf8

Score

10^/10

redline mastif infostealer

Malware Config

Extracted

Family

redline

Botnet

Mastif

C2

94.103.93.226:81

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1716-60-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral1/memory/1716-61-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral1/memory/1716-62-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral1/memory/1716-63-0x0000000000427D9E-mapping.dmp	family_redline
behavioral1/memory/1716-65-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline
behavioral1/memory/1716-67-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe

description	pid	process	target process
PID 292 set thread context of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

880 taskkill.exe

pid	process
880	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1716	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Token: SeDebugPrivilege	880	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.execmd.exe

description	pid	process	target process
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 292 wrote to memory of 1716	292	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 1716 wrote to memory of 672	1716	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 1716 wrote to memory of 672	1716	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 1716 wrote to memory of 672	1716	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 1716 wrote to memory of 672	1716	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 672 wrote to memory of 880	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 880	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 880	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 880	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 1480	672	cmd.exe	choice.exe
PID 672 wrote to memory of 1480	672	cmd.exe	choice.exe
PID 672 wrote to memory of 1480	672	cmd.exe	choice.exe
PID 672 wrote to memory of 1480	672	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
"C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1716 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 1716
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-54-0x0000000000C20000-0x0000000000CE6000-memory.dmp

Filesize
792KB

Download
memory/292-55-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/292-56-0x0000000000AB0000-0x0000000000AE4000-memory.dmp

Filesize
208KB

Download
memory/672-69-0x0000000000000000-mapping.dmp

Download
memory/880-70-0x0000000000000000-mapping.dmp

Download
memory/1480-71-0x0000000000000000-mapping.dmp

Download
memory/1716-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1716-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1716-63-0x0000000000427D9E-mapping.dmp

Download
memory/1716-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1716-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1716-68-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1716-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1716-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1716-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads