redline | 470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb | Triage

Analysis

max time kernel
150s
max time network
42s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
05-08-2022 22:51

Sharing

Report Analysis Logs

General

Target

470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb.exe
Size

100KB
MD5

72a36d3a94a35cf830b86ff67a34b61b
SHA1

d3e60eb1cf0efc15e0cc51a7c1ec3ed7ae872659
SHA256

470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb
SHA512

efa84552e665ed95b859f5cd53264421bad8c80ffee5a7639bd47c5f23815eced5d181428c0aae52a49362f6c9028b3a5bcb5f290c1c7b11011ed5c503002180

Score

10^/10

redline ncanal01 infostealer

Malware Config

Extracted

Family

redline

Botnet

NCanal01

C2

pupdatastart.tech:80

pupdatastart.xyz:80

pupdatastar.store:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1672-54-0x0000000000D30000-0x0000000000D4E000-memory.dmp	family_redline

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb.exe

description pid process

Token: SeDebugPrivilege 1672 470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb.exe

C:\Users\Admin\AppData\Local\Temp\470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb.exe
"C:\Users\Admin\AppData\Local\Temp\470ee74f5b7860612c61d973ca12d32b6d8cccb1caf6828d99d79134d6eed9cb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-54-0x0000000000D30000-0x0000000000D4E000-memory.dmp

Filesize
120KB

Download
memory/1672-55-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download