redline | cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d

General

Target

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe
Size

212KB
MD5

cd513b84207569e95cf1ca73170e0818
SHA1

1fa2db78e25bea5ce93015c96e30f29971292479
SHA256

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d
SHA512

b562bf7c625d3b3769aae685f4f102c6f7cf53c783768b59b90a599aff7ed04d18197282c553cfea38b514368939c98ad90da969f5fc5ad7d622bb700edfa59f

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-6-0x0000000000400000-0x000000000042A000-memory.dmp	family_redline
behavioral1/memory/1164-7-0x0000000000422016-mapping.dmp	family_redline
behavioral1/memory/1164-9-0x0000000000400000-0x000000000042A000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe

description	pid	process	target process
PID 776 set thread context of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1164 AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1164	AddInProcess32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe

description	pid	process	target process
PID 776 wrote to memory of 1168	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1168	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1168	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1168	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 776 wrote to memory of 1164	776	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe
"C:\Users\Admin\AppData\Local\Temp\cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/776-3-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1164-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-7-0x0000000000422016-mapping.dmp

Download
memory/1164-8-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/1164-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1164-11-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads