Overview

overview

10

Static

static

3

99629 00 E...05.exe

windows10-2004-x64

10

AMMonitori...er.dll

windows10-2004-x64

1

EppManifest.dll

windows10-2004-x64

1

ImagingBase.dll

windows7-x64

1

ImagingBase.dll

windows10-2004-x64

1

MpAsDesc.dll

windows10-2004-x64

1

MpAzSubmit.dll

windows10-2004-x64

1

MpClient.dll

windows7-x64

10

MpClient.dll

windows10-2004-x64

10

MpCommu.dll

windows10-2004-x64

1

MpDetours.dll

windows10-2004-x64

1

MpDetoursC...or.dll

windows10-2004-x64

1

MpEvMsg.dll

windows10-2004-x64

1

MpOAV.dll

windows10-2004-x64

1

MpProvider.dll

windows10-2004-x64

1

MpRtp.dll

windows10-2004-x64

1

MpSvc.dll

windows10-2004-x64

1

MsMpCom.dll

windows10-2004-x64

1

MsMpLics.dll

windows10-2004-x64

1

Protection...nt.dll

windows10-2004-x64

1

endpointdlp.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MpClient.dll

  • Size

    1.9MB

  • MD5

    978dd357e63cf2172cbaabd9a924926d

  • SHA1

    f790d1c26e541e7a6f61c23428dbaed229180df2

  • SHA256

    8124b90ecca30c18cb51d8fa5d540192035d8591cece109624f9bdb80d90117a

  • SHA512

    76ad677e566f16fe163fe730a4796c943fcf5bcdf16e489231a3c424ef6485fbcb103a334dc9c35f10905cbee8d7851fa26de70d719bc06c12053c6d7579db7c

  • SSDEEP

    49152:lcP2wX5eR8DAlfSOSwHvWCdL+4JT6Vqq1Lft:w8a

Score
10/10
redlineinfostealer

Malware Config

Extracted

Family

redline

C2

185.29.9.108:15135

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\MpClient.dll,#1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
        PID:2632
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        2⤵
          PID:528

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/528-0-0x0000000000400000-0x0000000000450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/528-1-0x000000007453E000-0x000000007453F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/528-2-0x0000000005CC0000-0x0000000006264000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/528-3-0x00000000057F0000-0x0000000005882000-memory.dmp

        Filesize

        584KB

        Download

      • memory/528-4-0x00000000059A0000-0x00000000059AA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/528-5-0x0000000074530000-0x0000000074CE0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/528-6-0x0000000006890000-0x0000000006EA8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/528-7-0x0000000005B80000-0x0000000005C8A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/528-8-0x0000000005A90000-0x0000000005AA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/528-9-0x0000000005AF0000-0x0000000005B2C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/528-10-0x0000000006270000-0x00000000062BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/528-11-0x000000007453E000-0x000000007453F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/528-12-0x0000000074530000-0x0000000074CE0000-memory.dmp

        Filesize

        7.7MB

        Download