redline | 58f3fbaf758d8a79e562e05ae9bff548eff643329ce96cac21ce763d0dedcd2d

General

Target

c53f1fd18ee3d2e35471fc7e103a4aa7.exe
Size

159KB
MD5

c53f1fd18ee3d2e35471fc7e103a4aa7
SHA1

486ae0e4b221a79ac6cb29268636320f0ff3a33f
SHA256

1109998f685c71644a6d8e3b9c55b9772f970eb0c981e05b2cacb30e73e76e26
SHA512

1d193c1343dbdb34d1b933a3efd6f892d5f91f5a87f4bba180dc23703e3a2ddb4c5a33bf3062f2e9b7eb169129895984af413c0f9e6c155fe5d8f662a19ca5a6

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4068-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/4068-14-0x000000000041EFD6-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

c53f1fd18ee3d2e35471fc7e103a4aa7.exe

description pid process target process

PID 4776 set thread context of 4068 4776 c53f1fd18ee3d2e35471fc7e103a4aa7.exe AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c53f1fd18ee3d2e35471fc7e103a4aa7.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 4776 c53f1fd18ee3d2e35471fc7e103a4aa7.exe
Token: SeDebugPrivilege 4068 AddInProcess32.exe

description	pid	process	target process
PID 4776 set thread context of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe
Token: SeDebugPrivilege	4068	AddInProcess32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c53f1fd18ee3d2e35471fc7e103a4aa7.exe

description	pid	process	target process
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe
PID 4776 wrote to memory of 4068	4776	c53f1fd18ee3d2e35471fc7e103a4aa7.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\c53f1fd18ee3d2e35471fc7e103a4aa7.exe
"C:\Users\Admin\AppData\Local\Temp\c53f1fd18ee3d2e35471fc7e103a4aa7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4068-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4068-25-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4068-24-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/4068-23-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4068-22-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4068-21-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/4068-20-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4068-15-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/4068-14-0x000000000041EFD6-mapping.dmp

Download
memory/4776-7-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4776-12-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4776-11-0x0000000004C04000-0x0000000004C06000-memory.dmp

Filesize
8KB

Download
memory/4776-10-0x0000000004C03000-0x0000000004C04000-memory.dmp

Filesize
4KB

Download
memory/4776-8-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4776-9-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4776-6-0x0000000004A40000-0x0000000004A4C000-memory.dmp

Filesize
48KB

Download
memory/4776-5-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4776-4-0x0000000002300000-0x000000000230D000-memory.dmp

Filesize
52KB

Download
memory/4776-3-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads