redline | 2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f

General

Target

14d9e9e29951389651ada7196394637d.exe
Size

18KB
MD5

14d9e9e29951389651ada7196394637d
SHA1

50163e90ff9d1921ca5a5097634f25124a6b50fb
SHA256

2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f
SHA512

a181003d761574d40155ee39bf355c41a39ef6033eb91d5ca8f78569e37f2204a7ee79fbcf50027325297f5f59b0ee49bef70bbd7157a32aa38ca0f92e540915

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1004-12-0x0000000002FC0000-0x0000000002FE4000-memory.dmp	family_redline
behavioral2/memory/1004-14-0x0000000003060000-0x0000000003082000-memory.dmp	family_redline

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 checkip.amazonaws.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

14d9e9e29951389651ada7196394637d.exe

description pid process target process

PID 60 set thread context of 1004 60 14d9e9e29951389651ada7196394637d.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

1004 AddInProcess32.exe
1004 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

14d9e9e29951389651ada7196394637d.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 60 14d9e9e29951389651ada7196394637d.exe
Token: SeDebugPrivilege 1004 AddInProcess32.exe

flow	ioc
18	checkip.amazonaws.com

description	pid	process	target process
PID 60 set thread context of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe

pid	process
1004	AddInProcess32.exe
1004	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	60	14d9e9e29951389651ada7196394637d.exe
Token: SeDebugPrivilege	1004	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14d9e9e29951389651ada7196394637d.exe

description	pid	process	target process
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe
PID 60 wrote to memory of 1004	60	14d9e9e29951389651ada7196394637d.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\14d9e9e29951389651ada7196394637d.exe
"C:\Users\Admin\AppData\Local\Temp\14d9e9e29951389651ada7196394637d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-2-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/60-3-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/60-5-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/60-6-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/1004-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-8-0x000000000040CD2F-mapping.dmp

Download
memory/1004-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-10-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/1004-11-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/1004-12-0x0000000002FC0000-0x0000000002FE4000-memory.dmp

Filesize
144KB

Download
memory/1004-13-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1004-14-0x0000000003060000-0x0000000003082000-memory.dmp

Filesize
136KB

Download
memory/1004-15-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/1004-16-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/1004-17-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1004-18-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1004-19-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/1004-20-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/1004-21-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/1004-22-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/1004-24-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/1004-26-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/1004-27-0x0000000008BF0000-0x0000000008BF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads