redline | 83ded684d8501ecbb679d59ec349c702930aba7e3aea673ef92894e23b615d5e

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 21:43

Target

Intrunkhypho.exe
Size

278KB
MD5

8866c407a31bcd11e2456843519f5109
SHA1

068d8ebf28711bc63445932a39b564ac07527aad
SHA256

83ded684d8501ecbb679d59ec349c702930aba7e3aea673ef92894e23b615d5e
SHA512

c22f34790e805313eabfef72d46b9b834bacdb642f4f5fa944bb16b2bec8a8f20fc46fc1687f624e74843c046025c46c08f733722fec99f83c2b3db26fa24095
SSDEEP

6144:O6FkdWDZKNjcsnyb+GU52LLzEokiqKsnhJIBDwKjWDhDocX3S:Gx0BFTEokiqJmhgxn

Score

10^/10

Family

redline

Botnet

Тест2

77.73.134.6:12530

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2032	2020	Intrunkhypho.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	Intrunkhypho.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2024	2020	Intrunkhypho.exe	28
PID 2020 wrote to memory of 2024	2020	Intrunkhypho.exe	28
PID 2020 wrote to memory of 2024	2020	Intrunkhypho.exe	28
PID 2020 wrote to memory of 2024	2020	Intrunkhypho.exe	28
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29
PID 2020 wrote to memory of 2032	2020	Intrunkhypho.exe	29

C:\Users\Admin\AppData\Local\Temp\Intrunkhypho.exe
"C:\Users\Admin\AppData\Local\Temp\Intrunkhypho.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
  2⤵
  PID:2032

memory/2020-54-0x0000000001070000-0x00000000010BC000-memory.dmp

Filesize
304KB

Download
memory/2032-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-67-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download