Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-06-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
Resource
win10v2004-20220414-en
General
-
Target
509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
-
Size
2.3MB
-
MD5
addd93ff7bf2e53744e25b39e6057547
-
SHA1
b64ef50db800a0850a7fa89a7f5d13977ac3f1d3
-
SHA256
509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7
-
SHA512
7cb1ad47627b2b5958ece2bf6d509acb89a62f0f0429f24b792701bd8986c3f77cf7ec126acad257ccce6965e77908a27e43620829927cc1b3032f9218756254
Malware Config
Extracted
redline
1
denverbbq.net:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-60-0x0000000000370000-0x00000000003A0000-memory.dmp family_redline behavioral1/memory/1668-61-0x0000000000440000-0x000000000046E000-memory.dmp family_redline -
Blocklisted process makes network request 64 IoCs
Processes:
cmd.exeflow pid process 2 1668 cmd.exe 3 1668 cmd.exe 4 1668 cmd.exe 5 1668 cmd.exe 6 1668 cmd.exe 7 1668 cmd.exe 8 1668 cmd.exe 9 1668 cmd.exe 10 1668 cmd.exe 11 1668 cmd.exe 12 1668 cmd.exe 13 1668 cmd.exe 14 1668 cmd.exe 15 1668 cmd.exe 16 1668 cmd.exe 17 1668 cmd.exe 18 1668 cmd.exe 19 1668 cmd.exe 21 1668 cmd.exe 22 1668 cmd.exe 23 1668 cmd.exe 24 1668 cmd.exe 25 1668 cmd.exe 26 1668 cmd.exe 27 1668 cmd.exe 28 1668 cmd.exe 29 1668 cmd.exe 30 1668 cmd.exe 31 1668 cmd.exe 32 1668 cmd.exe 33 1668 cmd.exe 34 1668 cmd.exe 35 1668 cmd.exe 36 1668 cmd.exe 37 1668 cmd.exe 38 1668 cmd.exe 39 1668 cmd.exe 40 1668 cmd.exe 41 1668 cmd.exe 42 1668 cmd.exe 43 1668 cmd.exe 44 1668 cmd.exe 45 1668 cmd.exe 46 1668 cmd.exe 47 1668 cmd.exe 48 1668 cmd.exe 49 1668 cmd.exe 50 1668 cmd.exe 51 1668 cmd.exe 52 1668 cmd.exe 53 1668 cmd.exe 54 1668 cmd.exe 55 1668 cmd.exe 56 1668 cmd.exe 57 1668 cmd.exe 58 1668 cmd.exe 59 1668 cmd.exe 60 1668 cmd.exe 61 1668 cmd.exe 62 1668 cmd.exe 63 1668 cmd.exe 64 1668 cmd.exe 65 1668 cmd.exe 66 1668 cmd.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exepid process 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cmd.exedescription pid process Token: SeDebugPrivilege 1668 cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exedescription pid process target process PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe PID 1452 wrote to memory of 1668 1452 509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe"C:\Users\Admin\AppData\Local\Temp\509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Users\Admin\AppData\Local\Temp\509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1452-56-0x00000000008C0000-0x000000000093B000-memory.dmpFilesize
492KB
-
memory/1452-57-0x0000000001FB0000-0x0000000002130000-memory.dmpFilesize
1.5MB
-
memory/1668-54-0x0000000000000000-mapping.dmp
-
memory/1668-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1668-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1668-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1668-60-0x0000000000370000-0x00000000003A0000-memory.dmpFilesize
192KB
-
memory/1668-61-0x0000000000440000-0x000000000046E000-memory.dmpFilesize
184KB
-
memory/1668-62-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1668-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB