redline | c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68

Resubmissions

22/03/2023, 20:41

230322-zgjjzabc24 10

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/03/2023, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe
Size

298KB
MD5

c2d4b5490f3b41491624df1cd5a0ff62
SHA1

bb86ae0caa8a21149a2fdce11ca05bc0ce950bbd
SHA256

c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68
SHA512

583b0dc713b35b39a6dda1314890299cf32f1bc70699927d59fdfae96e27c6283b6ee0a4294dc8fa6073cad8dc697e48851200b3f38603da510a876606f89ae6
SSDEEP

6144:5HiCpw0G0c6sIxxmeY0yDmeMkonGV9XjdK6Igk6jsGLe63hs:5HiCVG0c6vPo0gLhV9lIgkC/L93

Score

10^/10

redline persom infostealer

Malware Config

Extracted

Family

redline

Botnet

persom

45.155.204.13:25916

Attributes

auth_value
95b39b00ba8fba008cebd278bd0303f0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1108-55-0x00000000023A0000-0x00000000023FA000-memory.dmp	family_redline
behavioral1/memory/1108-57-0x0000000004C20000-0x0000000004C60000-memory.dmp	family_redline
behavioral1/memory/1108-60-0x0000000002590000-0x00000000025E8000-memory.dmp	family_redline
behavioral1/memory/1108-62-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-63-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-65-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-67-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-69-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-71-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-73-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-75-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-77-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-79-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-81-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-83-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-85-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-87-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-89-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-91-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-93-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-95-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-97-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-101-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-99-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-103-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-105-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-107-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-109-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-111-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-113-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-117-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-115-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-119-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-121-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline
behavioral1/memory/1108-123-0x0000000002590000-0x00000000025E2000-memory.dmp	family_redline

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1108-55-0x00000000023A0000-0x00000000023FA000-memory.dmp	net_reactor
behavioral1/memory/1108-57-0x0000000004C20000-0x0000000004C60000-memory.dmp	net_reactor
behavioral1/memory/1108-60-0x0000000002590000-0x00000000025E8000-memory.dmp	net_reactor
behavioral1/memory/1108-62-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-63-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-65-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-67-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-69-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-71-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-73-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-75-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-77-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-79-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-81-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-83-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-85-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-87-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-89-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-91-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-93-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-95-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-97-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-101-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-99-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-103-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-105-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-107-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-109-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-111-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-113-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-117-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-115-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-119-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-121-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor
behavioral1/memory/1108-123-0x0000000002590000-0x00000000025E2000-memory.dmp	net_reactor

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe

C:\Users\Admin\AppData\Local\Temp\c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe
"C:\Users\Admin\AppData\Local\Temp\c2348da208353e096df8a9b8be2029c434959abdfb3a8fee2e82e5742b87de68.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-55-0x00000000023A0000-0x00000000023FA000-memory.dmp

Filesize
360KB

Download
memory/1108-56-0x0000000000270000-0x00000000002D2000-memory.dmp

Filesize
392KB

Download
memory/1108-57-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/1108-58-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/1108-59-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/1108-60-0x0000000002590000-0x00000000025E8000-memory.dmp

Filesize
352KB

Download
memory/1108-61-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1108-62-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-63-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-65-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-67-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-69-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-71-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-73-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-75-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-77-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-79-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-81-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-83-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-85-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-87-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-89-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-91-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-93-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-95-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-97-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-101-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-99-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-103-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-105-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-107-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-109-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-111-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-113-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-117-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-115-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-119-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-121-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-123-0x0000000002590000-0x00000000025E2000-memory.dmp

Filesize
328KB

Download
memory/1108-854-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download