redline | e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011

General

Target

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
Size

617KB
MD5

c26cc90827555cd37a7a5c1088c0261a
SHA1

571908a143295bba4d75b57e953f4f18e3bc74cd
SHA256

e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011
SHA512

c4387351b42835f43dd04518da2744b9b5848a40ca18cc8d6b7b633c9460e98d21cbe7ce86005cb3813bbeaa886b6f300fdca65a50c5e1841fde3fa6f937009f

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/672-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/672-9-0x000000000041EFE2-mapping.dmp	family_redline
behavioral1/memory/672-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description	pid	process	target process
PID 1856 set thread context of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description pid process

Token: SeDebugPrivilege 672 SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description	pid	process
Token: SeDebugPrivilege	672	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description	pid	process	target process
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 1856 wrote to memory of 672	1856	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

memory/672-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/672-9-0x000000000041EFE2-mapping.dmp

Download
memory/672-10-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/672-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/672-13-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1856-5-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1856-6-0x0000000000560000-0x000000000056B000-memory.dmp

Filesize
44KB

Download
memory/1856-7-0x0000000007ED0000-0x0000000007F3D000-memory.dmp

Filesize
436KB

Download