redline | f806835a1b630dd4cccb4621a5f6c551ab129e4c697a943367d3ca27f58f3402 | Triage

Analysis

max time kernel
103s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-07-2022 01:19

Sharing

Report Analysis Logs

General

Target

1708-59-0x0000000002550000-0x0000000002584000-memory.exe
Size

208KB
MD5

1028e8b370aa3bd0a4391bb9b23201b7
SHA1

5eaa00299b2b4910ca5ecb9e2f044ce4becc5920
SHA256

f806835a1b630dd4cccb4621a5f6c551ab129e4c697a943367d3ca27f58f3402
SHA512

7965b426c822d82bc85486d391e33e6ee807918ef12da51a1fbe1da24c886cb54eba7ffc981be601f2b2314cbc58cbb2bce62751050b30c86ab0811ddb40b498

Score

10^/10

redline 2 infostealer

Malware Config

Extracted

Family

redline

Botnet

2

C2

193.124.22.7:35632

Attributes

auth_value
59967defa326eeea5c873678294c84b0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/988-130-0x0000000000950000-0x0000000000984000-memory.dmp	family_redline

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1708-59-0x0000000002550000-0x0000000002584000-memory.exe

description pid process

Token: SeDebugPrivilege 988 1708-59-0x0000000002550000-0x0000000002584000-memory.exe

C:\Users\Admin\AppData\Local\Temp\1708-59-0x0000000002550000-0x0000000002584000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1708-59-0x0000000002550000-0x0000000002584000-memory.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-130-0x0000000000950000-0x0000000000984000-memory.dmp

Filesize
208KB

Download