redline | 1ef621e8245ec8491cc94bb00174f2aa4e03f6aed19dbbcb45a8f2d0f22b79fa

General

Target

Промо видео.scr
Size

432.3MB
MD5

57ba38e708457ee2da813c3850e5f006
SHA1

5dabfffcdddf977f08ced56c5ad9b6a9d3a7a3ff
SHA256

5024e727e7385405534c4849149450f67b4ba7bc0f55444d49ebddc9dd853b4f
SHA512

66be83ad6db74fb0966456f508d1205dd82727e544975494edb0b4e7e93f27669344335713efe3c42fae742691ebf30a7a0c849196391e2e3fa8503ed185c925

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2644-8-0x0000000000400000-0x0000000000488000-memory.dmp	family_redline
behavioral2/memory/2644-9-0x0000000000445F0E-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

Промо видео.scr

description pid process target process

PID 4076 set thread context of 2644 4076 Промо видео.scr AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

2644 AddInProcess32.exe
2644 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Промо видео.scrAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 4076 Промо видео.scr
Token: SeDebugPrivilege 2644 AddInProcess32.exe

description	pid	process	target process
PID 4076 set thread context of 2644	4076	Промо видео.scr	AddInProcess32.exe

pid	process
2644	AddInProcess32.exe
2644	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	4076	Промо видео.scr
Token: SeDebugPrivilege	2644	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Промо видео.scr

description	pid	process	target process
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe
PID 4076 wrote to memory of 2644	4076	Промо видео.scr	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\Промо видео.scr
"C:\Users\Admin\AppData\Local\Temp\Промо видео.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-15-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/2644-21-0x0000000006680000-0x0000000006681000-memory.dmp

Filesize
4KB

Download
memory/2644-27-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/2644-17-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2644-16-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/2644-8-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2644-9-0x0000000000445F0E-mapping.dmp

Download
memory/2644-10-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-13-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2644-14-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2644-26-0x0000000008520000-0x0000000008521000-memory.dmp

Filesize
4KB

Download
memory/2644-24-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/2644-22-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/2644-18-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/2644-19-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/2644-20-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/4076-3-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4076-6-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/4076-7-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4076-5-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads