redline | 1b33ac622d65ce8b666f4ed01549eaec45ee0b43242c073cf890bc6df61459e5

Analysis

max time kernel
144s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2023 09:04

Target

EmNpZQKFsjAgeAss.exe
Size

502KB
MD5

da3491ec1082ea275af89ded590fedbc
SHA1

af5a582a513f3b0c727551d5a1646b8b3f14bf2f
SHA256

1b33ac622d65ce8b666f4ed01549eaec45ee0b43242c073cf890bc6df61459e5
SHA512

67e8f450a0360a1aff737278c25fec3bf6ae485d813ba3bc3c311f6940d0754c88fb7818e556c44b4265dd436a3fbc4616882836003e6ef05c49117c54cd7766
SSDEEP

6144:i+B9OckfNSJuQQdrpFgi+OP1xN/R+5+59IYMbBmka/go6UhcX7elbKTu19bfF/Ho:i+nOcENSkQJi/N/RWw9vlkjo63X3uz

Score

10^/10

Family

redline

Botnet

cheat

127.0.0.1:15235

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

Processes:

resource	yara_rule
behavioral3/memory/1004-136-0x0000000005B50000-0x0000000006168000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1004-134-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1004-134-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 1 IoCs

Processes:

EmNpZQKFsjAgeAss.exe

description pid process target process

PID 3744 set thread context of 1004 3744 EmNpZQKFsjAgeAss.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1004 RegAsm.exe

description	pid	process	target process
PID 3744 set thread context of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1004	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EmNpZQKFsjAgeAss.exe

description	pid	process	target process
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe
PID 3744 wrote to memory of 1004	3744	EmNpZQKFsjAgeAss.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

memory/1004-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1004-136-0x0000000005B50000-0x0000000006168000-memory.dmp

Filesize
6.1MB

Download
memory/1004-137-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/1004-138-0x00000000055F0000-0x000000000562C000-memory.dmp

Filesize
240KB

Download
memory/1004-139-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/1004-140-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/1004-141-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/3744-133-0x0000000000D40000-0x0000000000DC4000-memory.dmp

Filesize
528KB

Download