Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 23:10
Behavioral task
behavioral1
Sample
984-87-0x00000000020B0000-0x00000000020F4000-memory.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
984-87-0x00000000020B0000-0x00000000020F4000-memory.exe
Resource
win10v2004-20230220-en
General
-
Target
984-87-0x00000000020B0000-0x00000000020F4000-memory.exe
-
Size
272KB
-
MD5
aba787ae3aee4ead3acc74b64611dc9d
-
SHA1
b7b22be4a74953869b43d4eff975dd39eb2a97f1
-
SHA256
9025662926085103703c8d4a755108307146d4497e824c6fda8df3558fae76c6
-
SHA512
b18af8f300c57832588474e25c6f8d9dbfefaa576d9593e77d781449028a1c7348e2ef9ec98f7bf43a3d7a902db9f8128cc25001edb47aa443808b88700af4b2
-
SSDEEP
3072:/z6jYELL6VXXCG/SyVXtwkw/em3EvLc9Cao40VBaw8hUJnSVJBb7xNn2pU9f2MK8:/z6jU1KyZtwLe2EvLcSJ8hinSVJB
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4024-133-0x0000000000220000-0x0000000000264000-memory.dmp family_redline -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
984-87-0x00000000020B0000-0x00000000020F4000-memory.exedescription pid process Token: SeDebugPrivilege 4024 984-87-0x00000000020B0000-0x00000000020F4000-memory.exe