redline | 74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac

General

Target

1b0332f5e16ca53771e891705610b780.exe
Size

532KB
MD5

1b0332f5e16ca53771e891705610b780
SHA1

b763b9f5c4f189b9ad29913b3eb8ec551dbe41a6
SHA256

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac
SHA512

28cdc707438dcd5ab54e7a86e8a96fbaaa072c10eb3e4d24a0535d34206c4d67183521788f5cbc5ab27a7945c55501466cf29d564ad82041204b449b30b0a76b

Score

10^/10

Family

redline

Botnet

test1

C2

212.114.52.221:47868

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1064-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1064-61-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1064-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1064-63-0x000000000041932A-mapping.dmp	family_redline
behavioral1/memory/1064-64-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b0332f5e16ca53771e891705610b780.exe

description pid process target process

PID 1696 set thread context of 1064 1696 1b0332f5e16ca53771e891705610b780.exe 1b0332f5e16ca53771e891705610b780.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1b0332f5e16ca53771e891705610b780.exe

description pid process

Token: SeDebugPrivilege 1696 1b0332f5e16ca53771e891705610b780.exe

description	pid	process	target process
PID 1696 set thread context of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe

description	pid	process
Token: SeDebugPrivilege	1696	1b0332f5e16ca53771e891705610b780.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1b0332f5e16ca53771e891705610b780.exe

description	pid	process	target process
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 1696 wrote to memory of 1064	1696	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe

C:\Users\Admin\AppData\Local\Temp\1b0332f5e16ca53771e891705610b780.exe
C:\Users\Admin\AppData\Local\Temp\1b0332f5e16ca53771e891705610b780.exe
2⤵
PID:1064

memory/1064-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-63-0x000000000041932A-mapping.dmp

Download
memory/1064-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1064-66-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1696-54-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1696-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1696-56-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download