redline | 79d5b3a1a8b602ecb6ffb87e5c42acdaa4403e81cb3dcf859e573392c2350dc0

General

Target

a1182b4676f7830192db7e7e030e3a85.exe
Size

21KB
MD5

a1182b4676f7830192db7e7e030e3a85
SHA1

0f97efe75ef111f5ae8f4141a4d32bb2cbaf7ced
SHA256

79d5b3a1a8b602ecb6ffb87e5c42acdaa4403e81cb3dcf859e573392c2350dc0
SHA512

3df830a7d4fd0fa27f1d07a47bb0f74533ed6ae06c63e7abdaa84b8cb56e931a0c8032dd5b281e0c2fde44a210c5416ad8f7a29e186bbd099702a34e93822192

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3308-8-0x0000000000400000-0x000000000042A000-memory.dmp	family_redline
behavioral2/memory/3308-9-0x0000000000423E16-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

a1182b4676f7830192db7e7e030e3a85.exe

description pid process target process

PID 728 set thread context of 3308 728 a1182b4676f7830192db7e7e030e3a85.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AddInProcess32.exe

pid process

3308 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a1182b4676f7830192db7e7e030e3a85.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 728 a1182b4676f7830192db7e7e030e3a85.exe
Token: SeDebugPrivilege 3308 AddInProcess32.exe

description	pid	process	target process
PID 728 set thread context of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe

pid	process
3308	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	728	a1182b4676f7830192db7e7e030e3a85.exe
Token: SeDebugPrivilege	3308	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a1182b4676f7830192db7e7e030e3a85.exe

description	pid	process	target process
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe
PID 728 wrote to memory of 3308	728	a1182b4676f7830192db7e7e030e3a85.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\a1182b4676f7830192db7e7e030e3a85.exe
"C:\Users\Admin\AppData\Local\Temp\a1182b4676f7830192db7e7e030e3a85.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/728-2-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/728-3-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/728-5-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/728-6-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/728-7-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/3308-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3308-9-0x0000000000423E16-mapping.dmp

Download
memory/3308-10-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/3308-15-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3308-16-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3308-17-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3308-18-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3308-19-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/3308-20-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3308-21-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/3308-22-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/3308-23-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/3308-24-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/3308-25-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/3308-26-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads