redline | 1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d

Analysis

max time kernel
7s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18fd0471029adc5a608cc7c442a97f3a.exe
Size

355KB
MD5

18fd0471029adc5a608cc7c442a97f3a
SHA1

74854bda1aa3e60c3b6f58e8f77882ac7f958486
SHA256

1e92e176dd94bb165b9ac9a391ed84ad473ae69a44139d2f9765dd56974cee0d
SHA512

9cc462178cf8b63b27de90998c3a8cc722cec0bbde604e66482510c3888a78b1e869b4d3e7195c3361bb7fce43392c204c5b760948afd3bbddd6ee225bb61e00
SSDEEP

6144:MM/FgKFH4ZtKyKtHFrO/ODMruf29AYlxJzZfPkcdeyO9U/PRdygA/g3/FGXIqNPo:MI/FutKyQli/3rtT5zPdeyO9U/PRdygE

Score

10^/10

redline @marssellers12 infostealer

Malware Config

Extracted

Family

redline

Botnet

@MarsSellers12

94.228.166.68:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/3636-9-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
Loads dropped DLL 1 IoCs

Processes:

18fd0471029adc5a608cc7c442a97f3a.exe

pid process

3588 18fd0471029adc5a608cc7c442a97f3a.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

18fd0471029adc5a608cc7c442a97f3a.exe

description pid process target process

PID 3588 set thread context of 3636 3588 18fd0471029adc5a608cc7c442a97f3a.exe MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3636 MSBuild.exe

resource	yara_rule
behavioral2/memory/3636-9-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

pid	process
3588	18fd0471029adc5a608cc7c442a97f3a.exe

description	pid	process	target process
PID 3588 set thread context of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3636	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18fd0471029adc5a608cc7c442a97f3a.exe

description	pid	process	target process
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe
PID 3588 wrote to memory of 3636	3588	18fd0471029adc5a608cc7c442a97f3a.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\18fd0471029adc5a608cc7c442a97f3a.exe
"C:\Users\Admin\AppData\Local\Temp\18fd0471029adc5a608cc7c442a97f3a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8
1⤵
PID:4432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
419KB

MD5
be83077acea269c2187e97bb1b69105d

SHA1
987759a7153784121f4ef96cf4d78d1e9c552fc3

SHA256
4045ce5f58a63dd9cf525424f950f8d6ea8be2d0b93069b691077480787ffa78

SHA512
e9f6da69af0730912586d4a8d388069872f1ed27e2e1b0c54570add6ded52f5e0e1da268e55615cd82076fa2fb1dd559cca7bda23e45fa2cc5c08e1cfa8c6e94

Download Submit
memory/3588-13-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-1-0x0000000000450000-0x00000000004B2000-memory.dmp

Filesize
392KB

Download
memory/3588-2-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/3588-30-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-11-0x0000000076ED1000-0x0000000076FF1000-memory.dmp

Filesize
1.1MB

Download
memory/3588-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/3636-18-0x0000000006410000-0x0000000006A28000-memory.dmp

Filesize
6.1MB

Download
memory/3636-22-0x0000000007DA0000-0x0000000007DEC000-memory.dmp

Filesize
304KB

Download
memory/3636-15-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-16-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/3636-17-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-12-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/3636-19-0x0000000007C90000-0x0000000007D9A000-memory.dmp

Filesize
1.0MB

Download
memory/3636-20-0x0000000006320000-0x0000000006332000-memory.dmp

Filesize
72KB

Download
memory/3636-21-0x0000000006380000-0x00000000063BC000-memory.dmp

Filesize
240KB

Download
memory/3636-14-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/3636-23-0x0000000008BC0000-0x0000000008C26000-memory.dmp

Filesize
408KB

Download
memory/3636-24-0x00000000094C0000-0x0000000009682000-memory.dmp

Filesize
1.8MB

Download
memory/3636-25-0x0000000009BC0000-0x000000000A0EC000-memory.dmp

Filesize
5.2MB

Download
memory/3636-26-0x0000000000DB0000-0x0000000000E00000-memory.dmp

Filesize
320KB

Download
memory/3636-27-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-29-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download