redline | 5a57df26e345cb7e985044a7498954035ca64ae0952d19e9c28cf79c5e96d23b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe
Size

809KB
MD5

2ca5ea810f8ee199253dc7ffa26cd384
SHA1

e4f1fca8823e1aaea66c3aac025e5de1aacb2968
SHA256

85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02
SHA512

898a2d1fb35880ee739e90da3296e50adef1e4be70ecbc15dbc0aad85babf4f93bc3c354afcd45cde2cd8657bf12830c5f166175e8a6ea45ad5b26c67ab8ec13
SSDEEP

24576:3CHCW4HtzV4/ktaXGnRQUnifb0fT5dZ9nYd+cm6:yHzUtzV4W9bifb0Z

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1168-133-0x0000000000FD0000-0x00000000010A0000-memory.dmp	family_redline

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe

pid	process
1168	85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe
1168	85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe

description pid process

Token: SeDebugPrivilege 1168 85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe

description	pid	process
Token: SeDebugPrivilege	1168	85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe

C:\Users\Admin\AppData\Local\Temp\85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe
"C:\Users\Admin\AppData\Local\Temp\85c59de1c3e694b350a38b115c1dac784bc50bf9522c0c9a8f3a74b1a7e2de02.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-133-0x0000000000FD0000-0x00000000010A0000-memory.dmp

Filesize
832KB

Download
memory/1168-134-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download
memory/1168-142-0x0000000005AB0000-0x0000000005B0A000-memory.dmp

Filesize
360KB

Download
memory/1168-149-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1168-150-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1168-151-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1168-152-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1168-153-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1168-154-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1168-155-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1168-156-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1168-157-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1168-158-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1168-159-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1168-160-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1168-161-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1168-162-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1168-163-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1168-164-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1168-165-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1168-166-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1168-167-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/1168-168-0x00000000062E0000-0x00000000068F8000-memory.dmp

Filesize
6.1MB

Download
memory/1168-169-0x0000000005DE0000-0x0000000005EEA000-memory.dmp

Filesize
1.0MB

Download
memory/1168-170-0x0000000005D20000-0x0000000005D32000-memory.dmp

Filesize
72KB

Download
memory/1168-171-0x0000000005D80000-0x0000000005DBC000-memory.dmp

Filesize
240KB

Download
memory/1168-172-0x0000000006EB0000-0x0000000007454000-memory.dmp

Filesize
5.6MB

Download
memory/1168-173-0x00000000069E0000-0x0000000006A72000-memory.dmp

Filesize
584KB

Download
memory/1168-174-0x0000000006A80000-0x0000000006AE6000-memory.dmp

Filesize
408KB

Download
memory/1168-175-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download