redline | 74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac

General

Target

1b0332f5e16ca53771e891705610b780.exe
Size

532KB
MD5

1b0332f5e16ca53771e891705610b780
SHA1

b763b9f5c4f189b9ad29913b3eb8ec551dbe41a6
SHA256

74c5701189877d6ff1cee769cfb34bd211feebbd4ad1e03c4f5c609dffe184ac
SHA512

28cdc707438dcd5ab54e7a86e8a96fbaaa072c10eb3e4d24a0535d34206c4d67183521788f5cbc5ab27a7945c55501466cf29d564ad82041204b449b30b0a76b

Score

10^/10

redline test1 infostealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

212.114.52.221:47868

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2564-122-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2564-123-0x000000000041932A-mapping.dmp	family_redline
behavioral2/memory/2564-130-0x0000000004D40000-0x0000000005346000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b0332f5e16ca53771e891705610b780.exe

description pid process target process

PID 912 set thread context of 2564 912 1b0332f5e16ca53771e891705610b780.exe 1b0332f5e16ca53771e891705610b780.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1b0332f5e16ca53771e891705610b780.exe

description pid process

Token: SeDebugPrivilege 912 1b0332f5e16ca53771e891705610b780.exe

description	pid	process	target process
PID 912 set thread context of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe

description	pid	process
Token: SeDebugPrivilege	912	1b0332f5e16ca53771e891705610b780.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1b0332f5e16ca53771e891705610b780.exe

description	pid	process	target process
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe
PID 912 wrote to memory of 2564	912	1b0332f5e16ca53771e891705610b780.exe	1b0332f5e16ca53771e891705610b780.exe

C:\Users\Admin\AppData\Local\Temp\1b0332f5e16ca53771e891705610b780.exe
"C:\Users\Admin\AppData\Local\Temp\1b0332f5e16ca53771e891705610b780.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\1b0332f5e16ca53771e891705610b780.exe
C:\Users\Admin\AppData\Local\Temp\1b0332f5e16ca53771e891705610b780.exe
2⤵
PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1b0332f5e16ca53771e891705610b780.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
memory/912-117-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/912-118-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/912-119-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/912-120-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/912-121-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/912-115-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2564-122-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2564-123-0x000000000041932A-mapping.dmp

Download
memory/2564-127-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2564-128-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2564-129-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2564-130-0x0000000004D40000-0x0000000005346000-memory.dmp

Filesize
6.0MB

Download
memory/2564-131-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2564-132-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads