redline | be394c34bc2d5f532f3ddac7e2d692c60401d71858d4ae2f077af559f33ef772

General

Target

831d4e7f62efecd2fc159074383b965b.exe
Size

2.0MB
MD5

831d4e7f62efecd2fc159074383b965b
SHA1

4856dbaebf644b83f620fff1666f8553ad47d9b5
SHA256

be394c34bc2d5f532f3ddac7e2d692c60401d71858d4ae2f077af559f33ef772
SHA512

6e60c373cb7ace5666507dd58bf39c4c92346c070f6c4a2d62cd5966dd84bddee89034ba3ee4cce52df74fc0b0aede68d49fea29ee24f9698833905c853c88e8

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	checkip.amazonaws.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
540	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	831d4e7f62efecd2fc159074383b965b.exe
Token: SeDebugPrivilege	540	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78
PID 4808 wrote to memory of 540	4808	831d4e7f62efecd2fc159074383b965b.exe	78

C:\Users\Admin\AppData\Local\Temp\831d4e7f62efecd2fc159074383b965b.exe
"C:\Users\Admin\AppData\Local\Temp\831d4e7f62efecd2fc159074383b965b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-23-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/540-27-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/540-17-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/540-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-29-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/540-28-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/540-20-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/540-26-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/540-25-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/540-24-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/540-22-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/540-32-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/540-21-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4808-10-0x000000000B410000-0x000000000B4D7000-memory.dmp

Filesize
796KB

Download
memory/4808-6-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/4808-5-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4808-14-0x000000000B010000-0x000000000B0A1000-memory.dmp

Filesize
580KB

Download
memory/4808-2-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4808-13-0x000000000AF40000-0x000000000B00C000-memory.dmp

Filesize
816KB

Download
memory/4808-12-0x000000000B590000-0x000000000B591000-memory.dmp

Filesize
4KB

Download
memory/4808-11-0x0000000007C80000-0x0000000007C85000-memory.dmp

Filesize
20KB

Download
memory/4808-3-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4808-9-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4808-8-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4808-7-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing