redline | d4bb66bd17508438be397f81e2226dd6e4814fcc09573aefec5039a7ec3b10a8

General

Target

SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe
Size

32KB
MD5

cda47274841683f9a31edab3d6c69abc
SHA1

11c27e58791bb03a95c0fb9c4784f9a47371befe
SHA256

d4bb66bd17508438be397f81e2226dd6e4814fcc09573aefec5039a7ec3b10a8
SHA512

765c7efe511299431e385f6721f984f52d7647ccf8c7570cce115c9b28096319c7ee2a06729176465bbd9dfb9a7dc39ac91dad07e611a206af2f6806e51f5462

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/992-3-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral2/memory/992-4-0x000000000042A2BE-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe

description pid process target process

PID 1028 set thread context of 992 1028 SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe AddInProcess32.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1740 taskkill.exe

description	pid	process	target process
PID 1028 set thread context of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe

pid	process
1740	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exeAddInProcess32.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe
Token: SeDebugPrivilege	992	AddInProcess32.exe
Token: SeDebugPrivilege	1740	taskkill.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exeAddInProcess32.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 968	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess.exe
PID 1028 wrote to memory of 968	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess.exe
PID 1028 wrote to memory of 968	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess.exe
PID 1028 wrote to memory of 968	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess.exe
PID 1028 wrote to memory of 968	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess.exe
PID 1028 wrote to memory of 968	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 1028 wrote to memory of 992	1028	SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe	AddInProcess32.exe
PID 992 wrote to memory of 576	992	AddInProcess32.exe	cmd.exe
PID 992 wrote to memory of 576	992	AddInProcess32.exe	cmd.exe
PID 992 wrote to memory of 576	992	AddInProcess32.exe	cmd.exe
PID 576 wrote to memory of 1740	576	cmd.exe	taskkill.exe
PID 576 wrote to memory of 1740	576	cmd.exe	taskkill.exe
PID 576 wrote to memory of 1740	576	cmd.exe	taskkill.exe
PID 576 wrote to memory of 3980	576	cmd.exe	choice.exe
PID 576 wrote to memory of 3980	576	cmd.exe	choice.exe
PID 576 wrote to memory of 3980	576	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownloaderNET.56.29232.23237.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
2⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 992 && choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 992
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-13-0x0000000000000000-mapping.dmp

Download
memory/992-9-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/992-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/992-4-0x000000000042A2BE-mapping.dmp

Download
memory/992-5-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/992-8-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/992-10-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/992-11-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/992-12-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1028-0-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/1028-1-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1740-14-0x0000000000000000-mapping.dmp

Download
memory/3980-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads