redline | e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011

General

Target

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
Size

617KB
MD5

c26cc90827555cd37a7a5c1088c0261a
SHA1

571908a143295bba4d75b57e953f4f18e3bc74cd
SHA256

e1ccbcfb77a8ee31db04f21a4962ed0c117bb65a3ce3e453a6176068a379e011
SHA512

c4387351b42835f43dd04518da2744b9b5848a40ca18cc8d6b7b633c9460e98d21cbe7ce86005cb3813bbeaa886b6f300fdca65a50c5e1841fde3fa6f937009f

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3272-12-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/3272-13-0x000000000041EFE2-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description	pid	process	target process
PID 3932 set thread context of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description pid process

Token: SeDebugPrivilege 3272 SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description	pid	process
Token: SeDebugPrivilege	3272	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

description	pid	process	target process
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
PID 3932 wrote to memory of 3272	3932	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe	SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.PWS-FCUFC26CC9082755.32639.28315.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/3272-20-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3272-19-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3272-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3272-24-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/3272-13-0x000000000041EFE2-mapping.dmp

Download
memory/3272-22-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3272-21-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3272-18-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3272-25-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/3272-23-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/3272-15-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3932-11-0x0000000008250000-0x00000000082BD000-memory.dmp

Filesize
436KB

Download
memory/3932-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3932-5-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3932-2-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3932-10-0x0000000004E60000-0x0000000004E6B000-memory.dmp

Filesize
44KB

Download
memory/3932-9-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/3932-8-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3932-7-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3932-6-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads