redline | 49ddb5fcbdd0c23718e0bd08ea3f2e4d138271867718315d650008083be1c05a

Analysis

Target

1d0ea562_extracted.exe
Size

154KB
MD5

b695766dd97d30b93e078d2a35041e67
SHA1

d313d986245fb9953a929e8ff3dbfa4e777e66fd
SHA256

49ddb5fcbdd0c23718e0bd08ea3f2e4d138271867718315d650008083be1c05a
SHA512

aef2596d21e8ef3e517a1efabb785143f03b6f1db91e87653d532012b0c37aa77e366ea6adbeb654dee69b59cacc7f7fb7810fa998ebf626f6fa2ec78f58ca74

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1356 taskkill.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1d0ea562_extracted.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1932 1d0ea562_extracted.exe
Token: SeDebugPrivilege 1356 taskkill.exe

pid	process
1356	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1932	1d0ea562_extracted.exe
Token: SeDebugPrivilege	1356	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1d0ea562_extracted.execmd.exe

description	pid	process	target process
PID 1932 wrote to memory of 1368	1932	1d0ea562_extracted.exe	cmd.exe
PID 1932 wrote to memory of 1368	1932	1d0ea562_extracted.exe	cmd.exe
PID 1932 wrote to memory of 1368	1932	1d0ea562_extracted.exe	cmd.exe
PID 1932 wrote to memory of 1368	1932	1d0ea562_extracted.exe	cmd.exe
PID 1368 wrote to memory of 1356	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1356	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1356	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1356	1368	cmd.exe	taskkill.exe
PID 1368 wrote to memory of 1760	1368	cmd.exe	choice.exe
PID 1368 wrote to memory of 1760	1368	cmd.exe	choice.exe
PID 1368 wrote to memory of 1760	1368	cmd.exe	choice.exe
PID 1368 wrote to memory of 1760	1368	cmd.exe	choice.exe

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 1932 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1d0ea562_extracted.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

memory/1356-8-0x0000000000000000-mapping.dmp

Download
memory/1368-7-0x0000000000000000-mapping.dmp

Download
memory/1760-9-0x0000000000000000-mapping.dmp

Download
memory/1932-2-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/1932-3-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1932-6-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download