redline | 5b9485481c38b7cb26d8dee0181900df0e1310d7eef9bf2cd73bdde8a825d0a8

Analysis

Target

a61568c460fec240f6b098f902f37656.exe
Size

833KB
MD5

a61568c460fec240f6b098f902f37656
SHA1

568246a5ed71acf14ba5c7d91e3e55666771f9d6
SHA256

5b9485481c38b7cb26d8dee0181900df0e1310d7eef9bf2cd73bdde8a825d0a8
SHA512

b536211806c289639966b2cb47d2f87059e1ae2c66b9340b0fb2144c87f381ecf649a2f9049a393ac654b7149832812051a0b095724718cc6e0cc94ff8719d2d

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

a61568c460fec240f6b098f902f37656.exe

description pid process target process

PID 784 set thread context of 1388 784 a61568c460fec240f6b098f902f37656.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AddInProcess32.exe

pid process

1388 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a61568c460fec240f6b098f902f37656.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 784 a61568c460fec240f6b098f902f37656.exe
Token: SeDebugPrivilege 1388 AddInProcess32.exe

description	pid	process	target process
PID 784 set thread context of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe

pid	process
1388	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	784	a61568c460fec240f6b098f902f37656.exe
Token: SeDebugPrivilege	1388	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a61568c460fec240f6b098f902f37656.exe

description	pid	process	target process
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe
PID 784 wrote to memory of 1388	784	a61568c460fec240f6b098f902f37656.exe	AddInProcess32.exe

memory/784-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/784-3-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/784-5-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/784-6-0x00000000005E0000-0x00000000005F3000-memory.dmp

Filesize
76KB

Download
memory/1388-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1388-8-0x000000000041E88E-mapping.dmp

Download
memory/1388-9-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/1388-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1388-12-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download