redline | 6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d

General

Target

6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe
Size

766KB
MD5

5fc941cada98dda764b01273ed8c1cb7
SHA1

a0cb4240c9c9f789e588565cce4900f1486b10c9
SHA256

6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d
SHA512

c92eec5d9167c5253142941b7e39271472c56eb64ebdff59897916a9f7e4e67a353b4d70b2dc729800a25616654adbac784fbdfc72195aa9e1c0398ce9e1f8af

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-14-0x000000000042013E-mapping.dmp	family_redline
behavioral2/memory/3888-16-0x0000000000500000-0x0000000000540000-memory.dmp	family_redline

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 checkip.amazonaws.com

flow	ioc
17	checkip.amazonaws.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe

description	pid	process	target process
PID 1028 set thread context of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

InstallUtil.exe

pid process

3888 InstallUtil.exe
3888 InstallUtil.exe

pid	process
3888	InstallUtil.exe
3888	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe
Token: SeDebugPrivilege	3888	InstallUtil.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exeInstallUtil.exe

description	pid	process	target process
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 1028 wrote to memory of 3888	1028	6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe	InstallUtil.exe
PID 3888 wrote to memory of 360	3888	InstallUtil.exe	cmd.exe
PID 3888 wrote to memory of 360	3888	InstallUtil.exe	cmd.exe
PID 3888 wrote to memory of 360	3888	InstallUtil.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe
"C:\Users\Admin\AppData\Local\Temp\6d8cc0362985a67099da3641ca7d85be0e69a809e0e9a735a88c97917950f58d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfDel.bat" "
3⤵
PID:360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\selfDel.bat

MD5
4900a74937d6b1ad7b57ae06c373039a

SHA1
20ba8ef7104c96e2d24c177dc08257f574dd23a0

SHA256
26a8e326ea1aba506a0d99a8a737470b0f7167292f04c559fd1d9e60991d3a3a

SHA512
75936cb939ad9b91e5285402afb07119d59ffd09719b9425ac300828c1c00dc7be0d1a3725cc6b32c2275404b92547ca333c1ebf01e27124749f197302f45d0b

Download Submit
memory/360-30-0x0000000000000000-mapping.dmp

Download
memory/1028-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1028-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1028-5-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1028-6-0x0000000004850000-0x0000000004875000-memory.dmp

Filesize
148KB

Download
memory/1028-7-0x0000000006EE0000-0x0000000006F0C000-memory.dmp

Filesize
176KB

Download
memory/1028-8-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/1028-9-0x0000000009230000-0x0000000009231000-memory.dmp

Filesize
4KB

Download
memory/1028-10-0x00000000048D0000-0x00000000048E0000-memory.dmp

Filesize
64KB

Download
memory/1028-11-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1028-12-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3888-16-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/3888-18-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/3888-19-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/3888-20-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3888-21-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3888-22-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3888-25-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/3888-26-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/3888-27-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/3888-28-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/3888-15-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3888-14-0x000000000042013E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads