redline | 94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca

Analysis

max time kernel
134s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
Size

872KB
MD5

fee9c5f1f2f236987cad3ed8015bf9aa
SHA1

8e940837b17cea9debedadc91d43721927f0aabc
SHA256

94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca
SHA512

0c13a7118b0432234dcb6c9bcd28d2dd25479eb213ce63d9ab4f964ac109864dff3cb57754181ecaa42651f06cc00c72fd55eca38747abc87839544f1f622e61
SSDEEP

12288:IJCLK4HTNRRvi8D9/CK6MkGF8URcX6FeJNz+xd4N:Tw8xru08URngJhW

Score

10^/10

redline sirus infostealer

Malware Config

Extracted

Family

redline

Botnet

sirus

147.124.223.126:4444

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4812-191-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/4812-192-0x000000000041933E-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

description	pid	process	target process
PID 2704 set thread context of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

pid	process
2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

description	pid	process
Token: SeDebugPrivilege	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
Token: SeDebugPrivilege	4812	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

description	pid	process	target process
PID 2704 wrote to memory of 4836	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4836	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4836	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4832	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4832	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4832	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
PID 2704 wrote to memory of 4812	2704	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe	94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe

C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
"C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
"C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe"
2⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
"C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe
"C:\Users\Admin\AppData\Local\Temp\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe"
2⤵
PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94630dcd256f52e3a0123844fff4b0a0214c1ea11cda72ee5e59dc057f5badca.exe.log
Filesize
1KB

MD5
12557ab909651a6f99d3503d614d3562

SHA1
b86745768059a514bea3a438e1e96086af463246

SHA256
9589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd

SHA512
10cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521

Download Submit
memory/2704-120-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-121-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-122-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-123-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-124-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-125-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-126-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-127-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-128-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-129-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-130-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-131-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-132-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-133-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-134-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-135-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-136-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-137-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-138-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-139-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-140-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-141-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-142-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-143-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-144-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-145-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-146-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-147-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-148-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-149-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-150-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-151-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-152-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-153-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-154-0x00000000008A0000-0x000000000097C000-memory.dmp

Filesize
880KB

Download
memory/2704-155-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/2704-156-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-157-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/2704-158-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-159-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-160-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-161-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-162-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-163-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-164-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-165-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-166-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-167-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-168-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-169-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-170-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-171-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-172-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-173-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-174-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/2704-175-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-176-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-177-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-178-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-179-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-180-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-181-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-182-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-183-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-184-0x0000000007F20000-0x0000000007F3C000-memory.dmp

Filesize
112KB

Download
memory/2704-185-0x00000000081C0000-0x00000000081CC000-memory.dmp

Filesize
48KB

Download
memory/2704-186-0x0000000008250000-0x00000000082C8000-memory.dmp

Filesize
480KB

Download
memory/2704-187-0x0000000008390000-0x000000000842C000-memory.dmp

Filesize
624KB

Download
memory/2704-188-0x00000000084A0000-0x0000000008506000-memory.dmp

Filesize
408KB

Download
memory/2704-189-0x0000000008340000-0x000000000835E000-memory.dmp

Filesize
120KB

Download
memory/2704-190-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-191-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4812-192-0x000000000041933E-mapping.dmp

Download
memory/4812-193-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-194-0x00000000773D0000-0x000000007755E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-228-0x0000000005450000-0x0000000005A56000-memory.dmp

Filesize
6.0MB

Download
memory/4812-230-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/4812-235-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/4812-245-0x0000000004D80000-0x0000000004DCB000-memory.dmp

Filesize
300KB

Download
memory/4812-247-0x0000000004FF0000-0x00000000050FA000-memory.dmp

Filesize
1.0MB

Download