redline | 18354bab9009498b48010c0acb0eba274eba5b9d27f197b773b9c376d7932167

General

Target

56da9aa053adec2eb685d9f81532ad23.exe
Size

491KB
MD5

56da9aa053adec2eb685d9f81532ad23
SHA1

58e47cd4abf19c6a2ddc5d5dc2cbad2e90f68a32
SHA256

18354bab9009498b48010c0acb0eba274eba5b9d27f197b773b9c376d7932167
SHA512

a7526356ae35dc95d0c90fbb5779db0fe01b1f09a00553e064bbf53310e881215aa00256558fdf3ff7f457f450dd23c5b5b009b59da5625cc78cae76ff376a36

Score

10^/10

Family

redline

Botnet

GIZMIK

C2

185.215.113.107:1433

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1656-61-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1656-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1656-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1656-64-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29
PID 1316 wrote to memory of 1656	1316	56da9aa053adec2eb685d9f81532ad23.exe	29

C:\Users\Admin\AppData\Local\Temp\56da9aa053adec2eb685d9f81532ad23.exe
"C:\Users\Admin\AppData\Local\Temp\56da9aa053adec2eb685d9f81532ad23.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\56da9aa053adec2eb685d9f81532ad23.exe
  C:\Users\Admin\AppData\Local\Temp\56da9aa053adec2eb685d9f81532ad23.exe
  2⤵
  PID:1656

memory/1316-55-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1316-56-0x0000000000C40000-0x0000000000CC2000-memory.dmp

Filesize
520KB

Download
memory/1316-57-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1316-58-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1656-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1656-65-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-67-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download