redline | 7dd8274d9c755c46f84c814722ea8dfc23ee9b974723c0f0cc94be39df080f55

General

Target

9fba94f364070b04c0fdb8571f9e3d64.exe
Size

159KB
MD5

9fba94f364070b04c0fdb8571f9e3d64
SHA1

77f8f9f82d5df03dc30f6fc57f76d915bd4a55a5
SHA256

b31f3cc34aeb0e3049bfacb9d08adaca44c44ddf41d47c8132fd52c4b5103cc4
SHA512

ebff32e496d5f9175795b0127eee79ccb25ff0de9eaa2f8d3107ac0a32f751f30a0cac04e36966a29f2cc15814e8df9021338262650bf312f3598ede17fa1e59

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3896-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/3896-14-0x000000000041EFD6-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

9fba94f364070b04c0fdb8571f9e3d64.exe

description pid process target process

PID 4712 set thread context of 3896 4712 9fba94f364070b04c0fdb8571f9e3d64.exe AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9fba94f364070b04c0fdb8571f9e3d64.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 4712 9fba94f364070b04c0fdb8571f9e3d64.exe
Token: SeDebugPrivilege 3896 AddInProcess32.exe

description	pid	process	target process
PID 4712 set thread context of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	4712	9fba94f364070b04c0fdb8571f9e3d64.exe
Token: SeDebugPrivilege	3896	AddInProcess32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9fba94f364070b04c0fdb8571f9e3d64.exe

description	pid	process	target process
PID 4712 wrote to memory of 3284	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3284	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3284	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 2712	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 2712	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 2712	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe
PID 4712 wrote to memory of 3896	4712	9fba94f364070b04c0fdb8571f9e3d64.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\9fba94f364070b04c0fdb8571f9e3d64.exe
"C:\Users\Admin\AppData\Local\Temp\9fba94f364070b04c0fdb8571f9e3d64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3896-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3896-25-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3896-24-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3896-23-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3896-22-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3896-21-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3896-20-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3896-15-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/3896-14-0x000000000041EFD6-mapping.dmp

Download
memory/4712-6-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4712-12-0x0000000004B24000-0x0000000004B26000-memory.dmp

Filesize
8KB

Download
memory/4712-11-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4712-10-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4712-9-0x0000000004A40000-0x0000000004A4C000-memory.dmp

Filesize
48KB

Download
memory/4712-8-0x0000000004B23000-0x0000000004B24000-memory.dmp

Filesize
4KB

Download
memory/4712-2-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4712-7-0x0000000004B22000-0x0000000004B23000-memory.dmp

Filesize
4KB

Download
memory/4712-5-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4712-4-0x0000000002220000-0x000000000222D000-memory.dmp

Filesize
52KB

Download
memory/4712-3-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads