redline | 17a0c8eaeb8ed94e1935d1f8bc9f720c877d0af2bc73dcae5ea0bbacf7792d23

Analysis

max time kernel
30s
max time network
32s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Size

516KB
MD5

0c341e00d3027a4a6ea5438f37f06677
SHA1

60717e853262eeae53ccc87da6940adb73aa9ce2
SHA256

1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6
SHA512

2209fc9c45f7f985250f0aa31229a9c75e72ad6619e38474717cb8b041f59f43b2aa66a125268c41dafe80508588a1bc5a2f87fe69b5b0acdbb47338da36ab46
SSDEEP

12288:hPyRu80u5xzuq1GFsJl6pzndWxkgzPxnFYO:Byyu3zXSNd/gz7

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1832-1-0x0000000000400000-0x0000000000486000-memory.dmp family_redline
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2396 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2396 vlc.exe

resource	yara_rule
behavioral1/memory/1832-1-0x0000000000400000-0x0000000000486000-memory.dmp	family_redline

pid	process
2396	vlc.exe

pid	process
2396	vlc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe

description	pid	process
Token: SeDebugPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeBackupPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeBackupPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
Token: SeSecurityPrivilege	1832	1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

vlc.exe

pid process

2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
2396 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

2396 vlc.exe

pid	process
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe

pid	process
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe
2396	vlc.exe

pid	process
2396	vlc.exe

C:\Users\Admin\AppData\Local\Temp\1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe
"C:\Users\Admin\AppData\Local\Temp\1da56a5f2bbdc5215305e5e397bd3ed926f44520e145aa7bf2e6785b33f381e6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3772

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnprotectDebug.mp4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1832-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/1832-1-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1832-2-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/1832-3-0x00000000028F0000-0x0000000002910000-memory.dmp

Filesize
128KB

Download
memory/1832-4-0x0000000005620000-0x0000000005BC6000-memory.dmp

Filesize
5.6MB

Download
memory/1832-5-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/1832-6-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/1832-7-0x00000000085E0000-0x0000000008BF8000-memory.dmp

Filesize
6.1MB

Download
memory/1832-8-0x0000000008110000-0x000000000821A000-memory.dmp

Filesize
1.0MB

Download
memory/1832-9-0x0000000008050000-0x0000000008062000-memory.dmp

Filesize
72KB

Download
memory/1832-10-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/1832-11-0x0000000008220000-0x000000000826C000-memory.dmp

Filesize
304KB

Download
memory/1832-12-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/1832-13-0x0000000074F90000-0x0000000075741000-memory.dmp

Filesize
7.7MB

Download
memory/2396-27-0x00007FFD407A0000-0x00007FFD407D4000-memory.dmp

Filesize
208KB

Download
memory/2396-26-0x00007FF7D5470000-0x00007FF7D5568000-memory.dmp

Filesize
992KB

Download
memory/2396-28-0x00007FFD39F10000-0x00007FFD3A1C6000-memory.dmp

Filesize
2.7MB

Download
memory/2396-29-0x00007FFD2E2A0000-0x00007FFD2F350000-memory.dmp

Filesize
16.7MB

Download