Analysis
-
max time kernel
290s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27/06/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe
Resource
win10-20240404-en
General
-
Target
f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe
-
Size
3.7MB
-
MD5
851540a8a61d4606a6e7df206c7211e6
-
SHA1
1694c00781c85ee4aff42dcf67ad3752daa80c35
-
SHA256
f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013
-
SHA512
03bfcf302bda2a73bf19baf45d6e6d726fc78b87b1b3eb37f9d5f2d28b3b039ee1f5e0d75bdd6d80f8b3e549125314ee4fe896671f667e52aab638aa2338d609
-
SSDEEP
49152:W8rXn233KExXMbs5rseJy58Y8bWftef4R0Upyw+dr9TbaM9a6NLVxx6v57H2H8Ux:Wt3Ke/5Ieri/R3MTbaM9VNx6h7W1A
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.92:27953
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1408-67-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 796 set thread context of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 796 wrote to memory of 424 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 73 PID 796 wrote to memory of 424 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 73 PID 796 wrote to memory of 424 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 73 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74 PID 796 wrote to memory of 1408 796 f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe"C:\Users\Admin\AppData\Local\Temp\f1b8332cb1131e1e6d8bb133579c2474d7f3ff73e520b31a0bc71f67241a4013.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:424
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1408
-