redline | 1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5

General

Target

1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
Size

689KB
MD5

a9253a351d4fd393efb8bf0b1d351f77
SHA1

375cc00ead5d7f4c878e37533f4df5c904c18902
SHA256

1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5
SHA512

7931b95d0706069f188935ad2befab27a964ebd5617aa61956aff1617abc7de0b8fffd7fbe6f931f36a9a855883e3e4e922351e117036e821bff84a37c580fb2

Score

10^/10

redline 333333 infostealer

Malware Config

Extracted

Family

redline

Botnet

333333

C2

2.56.57.212:13040

Attributes

auth_value
3efa022bc816f747304fd68e5810bb78

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4564-138-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

description	pid	process	target process
PID 1768 set thread context of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

pid	process
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

description pid process

Token: SeDebugPrivilege 1768 1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

description	pid	process
Token: SeDebugPrivilege	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe

description	pid	process	target process
PID 1768 wrote to memory of 4676	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4676	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4676	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe
PID 1768 wrote to memory of 4564	1768	1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe
"C:\Users\Admin\AppData\Local\Temp\1083ea2a76b0cf4cd2f8bd19120182f43d873685e68bef7bd5022a434346c0a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:4564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-131-0x0000000000E90000-0x0000000000F42000-memory.dmp

Filesize
712KB

Download
memory/1768-132-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/1768-133-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/1768-134-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/1768-135-0x0000000009110000-0x00000000091AC000-memory.dmp

Filesize
624KB

Download
memory/4564-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4564-137-0x0000000000000000-mapping.dmp

Download
memory/4564-139-0x00000000056E0000-0x0000000005CF8000-memory.dmp

Filesize
6.1MB

Download
memory/4564-140-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/4564-141-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/4564-142-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/4676-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads