redline | 63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab

Analysis

Target

440c6427f359554d5152d93dbb272cc2.exe
Size

416KB
MD5

440c6427f359554d5152d93dbb272cc2
SHA1

1be9b53d33272b3730bf564d1f2b39119cfb7c78
SHA256

63a34871b484152dce8b02ce232207e288049a55ff148d0eee8d7571842d40ab
SHA512

23e14a24c21a89c0222ab2b6a8ae77be7ff788abfa1b1ed3377723ec49d8b0969e84f26142abe564f2eb20ae6986b70f0ba885af394762bae2e383301fd3c2f8

Score

10^/10

Family

redline

Botnet

Teslalogs

91.206.14.151:50125

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1868-120-0x00000000003D0000-0x00000000003F2000-memory.dmp	family_redline
behavioral2/memory/1868-125-0x00000000003EC5EA-mapping.dmp	family_redline
behavioral2/memory/1868-132-0x00000000049E0000-0x0000000004FE6000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

440c6427f359554d5152d93dbb272cc2.exe

description pid process target process

PID 3712 set thread context of 1868 3712 440c6427f359554d5152d93dbb272cc2.exe RegSvcs.exe

description	pid	process	target process
PID 3712 set thread context of 1868	3712	440c6427f359554d5152d93dbb272cc2.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

440c6427f359554d5152d93dbb272cc2.exe

description	pid	process	target process
PID 3712 wrote to memory of 1868	3712	440c6427f359554d5152d93dbb272cc2.exe	RegSvcs.exe
PID 3712 wrote to memory of 1868	3712	440c6427f359554d5152d93dbb272cc2.exe	RegSvcs.exe
PID 3712 wrote to memory of 1868	3712	440c6427f359554d5152d93dbb272cc2.exe	RegSvcs.exe
PID 3712 wrote to memory of 1868	3712	440c6427f359554d5152d93dbb272cc2.exe	RegSvcs.exe
PID 3712 wrote to memory of 1868	3712	440c6427f359554d5152d93dbb272cc2.exe	RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1868

memory/1868-129-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1868-128-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1868-133-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1868-132-0x00000000049E0000-0x0000000004FE6000-memory.dmp

Filesize
6.0MB

Download
memory/1868-131-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1868-120-0x00000000003D0000-0x00000000003F2000-memory.dmp

Filesize
136KB

Download
memory/1868-126-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1868-125-0x00000000003EC5EA-mapping.dmp

Download
memory/1868-130-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/3712-115-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3712-116-0x00000000013C0000-0x0000000001434000-memory.dmp

Filesize
464KB

Download
memory/3712-119-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3712-118-0x0000000074CF0000-0x0000000074EB2000-memory.dmp

Filesize
1.8MB

Download
memory/3712-117-0x00000000011C0000-0x0000000001203000-memory.dmp

Filesize
268KB

Download