redline | a9c0d0616ae668762302b32276535eb92f09efb470ddfd7f6edbd2ac085bdd23

General

Target

SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
Size

592KB
MD5

ab3b477988b6df60f7d42202f6b0c2c1
SHA1

45eaca4973528c65b27a96f5078c56694f4543de
SHA256

a9c0d0616ae668762302b32276535eb92f09efb470ddfd7f6edbd2ac085bdd23
SHA512

77c5577d3db53b3a6758a2fe2aef42814467a30aeb51d35b30fd148c80bb425dce13b8a52d4bf077561396d0d1d752736b95113082c52c33f96ec6772c2c8fd8

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1348-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral1/memory/1348-9-0x000000000041E1AA-mapping.dmp	family_redline
behavioral1/memory/1348-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

description	pid	process	target process
PID 776 set thread context of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

description pid process

Token: SeDebugPrivilege 1348 SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

description	pid	process
Token: SeDebugPrivilege	1348	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

description	pid	process	target process
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
PID 776 wrote to memory of 1348	776	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe	SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.InjectNET.14.6656.5495.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/776-3-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/776-6-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/776-7-0x00000000009A0000-0x00000000009E6000-memory.dmp

Filesize
280KB

Download
memory/1348-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1348-9-0x000000000041E1AA-mapping.dmp

Download
memory/1348-10-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1348-13-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download