redline | cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d

General

Target

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe
Size

212KB
MD5

cd513b84207569e95cf1ca73170e0818
SHA1

1fa2db78e25bea5ce93015c96e30f29971292479
SHA256

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d
SHA512

b562bf7c625d3b3769aae685f4f102c6f7cf53c783768b59b90a599aff7ed04d18197282c553cfea38b514368939c98ad90da969f5fc5ad7d622bb700edfa59f

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/416-7-0x0000000000400000-0x000000000042A000-memory.dmp	family_redline
behavioral2/memory/416-8-0x0000000000422016-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe

description	pid	process	target process
PID 744 set thread context of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AddInProcess32.exe

description pid process

Token: SeDebugPrivilege 416 AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	416	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe

description	pid	process	target process
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe
PID 744 wrote to memory of 416	744	cc514cc4a2498982dc3505ada5f4fded15a3c3482f5944d4fb7746f040095d1d.exe	AddInProcess32.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:416

memory/416-14-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/416-13-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/416-19-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/416-18-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/416-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/416-8-0x0000000000422016-mapping.dmp

Download
memory/416-17-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/416-12-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/416-9-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/416-16-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/416-15-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/744-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/744-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/744-6-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/744-5-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download