redline | f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2023, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
Size

673KB
MD5

08215dde4129b7d76336f39fdd511a2e
SHA1

3a8640882544c8d1ad79a0d99362ab46241bf43c
SHA256

f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a
SHA512

10144749286206abc9a193c60a323474a70aff1fdbb6ce957d36b4a11ee5c91641321e9877d475d99bccb1b5e680baaeb3ad243009db86c15a42d117d676bb41
SSDEEP

6144:7iK/fTphszm59OXCWJIQyLNy1yGiGwpMhSz8yc0F6hRlYT8b6VwGWsZ9wa8bszpD:+ANhlDWd9YSrb6VTEa8bGfMwqA5v

Score

10^/10

redline 1300 infostealer

Malware Config

Extracted

Family

redline

Botnet

1300

45.15.166.130:44519

Attributes

auth_value
2e328604bf1317edc3d8daa89e0a03ec

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84
PID 2984 wrote to memory of 3660	2984	f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe	84

C:\Users\Admin\AppData\Local\Temp\f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
"C:\Users\Admin\AppData\Local\Temp\f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe
  "C:\Users\Admin\AppData\Local\Temp\f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe"
  2⤵
  PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f9a0e18ccfc8d6e017c6d658544ba7c9c9138a9dc4d256aca2b824c9770eca8a.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
memory/2984-143-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-135-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/2984-136-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/2984-137-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-138-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/2984-139-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-140-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-141-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-133-0x0000000000670000-0x000000000071E000-memory.dmp

Filesize
696KB

Download
memory/2984-142-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-134-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/2984-145-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/2984-144-0x00000000065A0000-0x00000000065B0000-memory.dmp

Filesize
64KB

Download
memory/3660-146-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3660-149-0x00000000054F0000-0x0000000005B08000-memory.dmp

Filesize
6.1MB

Download
memory/3660-150-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/3660-151-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/3660-152-0x0000000005030000-0x000000000506C000-memory.dmp

Filesize
240KB

Download
memory/3660-153-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3660-154-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download