redline | 4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
Size

403KB
MD5

fdb35993f43fb0c0b3fadb2aef70b0be
SHA1

0881f937004e97e9aa3ee8688dccbd48ba2303ab
SHA256

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee
SHA512

0f0cf3744a6b0d07e54305c2dee7920c0d18ae10667abf0e2e6b25377b702f021fb77dfd716edd9f106aa53634493bf9a9b79ce00902e4e04abd825ec50f9277
SSDEEP

12288:RhWBAslGt0whBHsIOBJ0pokRqQ4s7My+5kpea2teQfx:XAwtZHHstJ0ecN4s+5tj

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4684-4-0x0000000004850000-0x00000000048C0000-memory.dmp	family_redline
behavioral2/memory/4684-16-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-70-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-72-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-68-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-66-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-64-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-62-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-60-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-58-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-56-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-54-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-52-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-50-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-48-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-46-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-44-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-42-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-40-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-38-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-34-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-32-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-28-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-26-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-22-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-18-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-36-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-30-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-24-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-20-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-14-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-12-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-10-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-9-0x00000000075A0000-0x0000000007608000-memory.dmp	family_redline
behavioral2/memory/4684-6-0x00000000075A0000-0x000000000760E000-memory.dmp	family_redline

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4684-4-0x0000000004850000-0x00000000048C0000-memory.dmp	net_reactor
behavioral2/memory/4684-16-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-70-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-72-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-68-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-66-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-64-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-62-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-60-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-58-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-56-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-54-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-52-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-50-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-48-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-46-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-44-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-42-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-40-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-38-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-34-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-32-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-28-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-26-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-22-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-18-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-36-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-30-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-24-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-20-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-14-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-12-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-10-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-9-0x00000000075A0000-0x0000000007608000-memory.dmp	net_reactor
behavioral2/memory/4684-6-0x00000000075A0000-0x000000000760E000-memory.dmp	net_reactor

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe

description pid process

Token: SeDebugPrivilege 4684 4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe

description	pid	process
Token: SeDebugPrivilege	4684	4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe

C:\Users\Admin\AppData\Local\Temp\4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe
"C:\Users\Admin\AppData\Local\Temp\4b5b5a34e4b2dd842b5a097a93a47385316f68907fe5b512b494c6a608e446ee.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4684-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4684-2-0x0000000004360000-0x00000000043CD000-memory.dmp

Filesize
436KB

Download
memory/4684-4-0x0000000004850000-0x00000000048C0000-memory.dmp

Filesize
448KB

Download
memory/4684-1-0x00000000028B0000-0x00000000029B0000-memory.dmp

Filesize
1024KB

Download
memory/4684-7-0x0000000007610000-0x00000000076A2000-memory.dmp

Filesize
584KB

Download
memory/4684-8-0x0000000000400000-0x0000000002752000-memory.dmp

Filesize
35.3MB

Download
memory/4684-16-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-70-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-72-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-68-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-66-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-64-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-62-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-60-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-58-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-56-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-54-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-52-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-50-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-48-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-46-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-44-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-1589-0x0000000007860000-0x000000000786A000-memory.dmp

Filesize
40KB

Download
memory/4684-42-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-40-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-38-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-1590-0x0000000007970000-0x0000000007F88000-memory.dmp

Filesize
6.1MB

Download
memory/4684-1593-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4684-1594-0x0000000008130000-0x000000000817C000-memory.dmp

Filesize
304KB

Download
memory/4684-1592-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/4684-1591-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4684-34-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-32-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-28-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-26-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-22-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-18-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-36-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-30-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-24-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-20-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-14-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-12-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-10-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-9-0x00000000075A0000-0x0000000007608000-memory.dmp

Filesize
416KB

Download
memory/4684-6-0x00000000075A0000-0x000000000760E000-memory.dmp

Filesize
440KB

Download
memory/4684-5-0x0000000006FB0000-0x0000000007554000-memory.dmp

Filesize
5.6MB

Download
memory/4684-1597-0x00000000028B0000-0x00000000029B0000-memory.dmp

Filesize
1024KB

Download