redline | 74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac

General

Target

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
Size

532KB
MD5

1b0332f5e16ca53771e891705610b780
SHA1

b763b9f5c4f189b9ad29913b3eb8ec551dbe41a6
SHA256

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac
SHA512

28cdc707438dcd5ab54e7a86e8a96fbaaa072c10eb3e4d24a0535d34206c4d67183521788f5cbc5ab27a7945c55501466cf29d564ad82041204b449b30b0a76b

Score

10^/10

Family

redline

Botnet

test1

C2

212.114.52.221:47868

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4072-122-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/4072-123-0x000000000041932A-mapping.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

description	pid	process	target process
PID 4156 set thread context of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

description pid process

Token: SeDebugPrivilege 4156 74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

description	pid	process
Token: SeDebugPrivilege	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

description	pid	process	target process
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
PID 4156 wrote to memory of 4072	4156	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe	74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe

C:\Users\Admin\AppData\Local\Temp\74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
C:\Users\Admin\AppData\Local\Temp\74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac.exe
2⤵
PID:4072

memory/4072-127-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4072-126-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4072-131-0x0000000005410000-0x0000000005A16000-memory.dmp

Filesize
6.0MB

Download
memory/4072-130-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4072-129-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4072-123-0x000000000041932A-mapping.dmp

Download
memory/4072-128-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/4072-122-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4156-117-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4156-115-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4156-121-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/4156-120-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4156-119-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/4156-118-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download