redline | a67250f4e3194d603043d506b4bc7c6112bd61a56bf3521e1ee1d95b22a17147

Analysis

Target

b5fc67332e05420980a00e2e4da7ebbc.exe
Size

432KB
MD5

b5fc67332e05420980a00e2e4da7ebbc
SHA1

19394812eefe2e09ba724a580a5c89309fef924d
SHA256

a67250f4e3194d603043d506b4bc7c6112bd61a56bf3521e1ee1d95b22a17147
SHA512

36d95a4a4841371604a36740a93edc916786acd87e51c402dd2031f81da5ec704aa35e1bb010d7007f8233c3973a8757a962e3c49d13d091b87a3384239e7aa7

Score

10^/10

Family

redline

Botnet

lyla2109

213.166.69.181:64650

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1988-63-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1988-64-0x000000000041C5E2-mapping.dmp	family_redline
behavioral1/memory/1988-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

b5fc67332e05420980a00e2e4da7ebbc.exe

description pid process target process

PID 1892 set thread context of 1988 1892 b5fc67332e05420980a00e2e4da7ebbc.exe b5fc67332e05420980a00e2e4da7ebbc.exe

description	pid	process	target process
PID 1892 set thread context of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b5fc67332e05420980a00e2e4da7ebbc.exe

description	pid	process	target process
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe
PID 1892 wrote to memory of 1988	1892	b5fc67332e05420980a00e2e4da7ebbc.exe	b5fc67332e05420980a00e2e4da7ebbc.exe

C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
2⤵
PID:1988

memory/1892-60-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1892-62-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1988-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1988-64-0x000000000041C5E2-mapping.dmp

Download
memory/1988-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1988-67-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download