redline | 2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09

General

Target

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Size

798KB
MD5

4c274d6a3b4f39556ecd377da5492982
SHA1

559fcd5cfcb3477571c8a36e451375e2b0405754
SHA256

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09
SHA512

8433324ac1a4b0ce7fd8f096a889d3b525fe80dd8faadc23439b3fe6be6d100e76c7cfc3749360b57455a50faea5a8670e6ddfb354599dca9b6b8577d8ccddf8

Score

10^/10

redline mastif infostealer

Malware Config

Extracted

Family

redline

Botnet

Mastif

C2

94.103.93.226:81

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3992-136-0x0000000000400000-0x000000000042C000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe

description	pid	process	target process
PID 4928 set thread context of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

340 taskkill.exe

pid	process
340	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe

pid	process
4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Token: SeDebugPrivilege	3992	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
Token: SeDebugPrivilege	340	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.execmd.exe

description	pid	process	target process
PID 4928 wrote to memory of 856	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 856	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 856	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 4928 wrote to memory of 3992	4928	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
PID 3992 wrote to memory of 4016	3992	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 3992 wrote to memory of 4016	3992	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 3992 wrote to memory of 4016	3992	2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe	cmd.exe
PID 4016 wrote to memory of 340	4016	cmd.exe	taskkill.exe
PID 4016 wrote to memory of 340	4016	cmd.exe	taskkill.exe
PID 4016 wrote to memory of 340	4016	cmd.exe	taskkill.exe
PID 4016 wrote to memory of 2968	4016	cmd.exe	choice.exe
PID 4016 wrote to memory of 2968	4016	cmd.exe	choice.exe
PID 4016 wrote to memory of 2968	4016	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
"C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
"{path}"
2⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 3992 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 3992
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2547843fcaec99437c93ff74c366c1300446b16c13d84d41d5b451e979822d09.exe.log
Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
memory/340-143-0x0000000000000000-mapping.dmp

Download
memory/856-134-0x0000000000000000-mapping.dmp

Download
memory/2968-144-0x0000000000000000-mapping.dmp

Download
memory/3992-139-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download
memory/3992-135-0x0000000000000000-mapping.dmp

Download
memory/3992-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3992-138-0x0000000006010000-0x0000000006628000-memory.dmp

Filesize
6.1MB

Download
memory/3992-140-0x00000000059F0000-0x0000000005A2C000-memory.dmp

Filesize
240KB

Download
memory/3992-141-0x0000000005C80000-0x0000000005D8A000-memory.dmp

Filesize
1.0MB

Download
memory/4016-142-0x0000000000000000-mapping.dmp

Download
memory/4928-133-0x0000000006640000-0x00000000066DC000-memory.dmp

Filesize
624KB

Download
memory/4928-130-0x0000000000EF0000-0x0000000000FB6000-memory.dmp

Filesize
792KB

Download
memory/4928-132-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4928-131-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads