redline | 286bb7855ae2d5a4963f4cefb78127cedff7ce7755e6da993be7c45c76676dd9

General

Target

51396197.exe
Size

490KB
MD5

299b400d98ec9cd5115e1d969c915bdf
SHA1

2a53cd1d2380ce1115fcf891a8f9f53a5f6f6e65
SHA256

286bb7855ae2d5a4963f4cefb78127cedff7ce7755e6da993be7c45c76676dd9
SHA512

b837c5d7476234e9e7878fb8d44c5c0753fe697e187465735e6638943ffb164cef1677981490aea08d146bd4a59889c156f8052f9b25b674a1e941a87cf62540

Score

10^/10

Family

redline

Botnet

eu

C2

78.47.178.190:24520

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/764-61-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/764-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/764-65-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/764-67-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/764-69-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

51396197.exe

description pid process target process

PID 792 set thread context of 764 792 51396197.exe 51396197.exe

description	pid	process	target process
PID 792 set thread context of 764	792	51396197.exe	51396197.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

51396197.exe

description	pid	process	target process
PID 792 wrote to memory of 660	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 660	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 660	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 660	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 332	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 332	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 332	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 332	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe
PID 792 wrote to memory of 764	792	51396197.exe	51396197.exe

C:\Users\Admin\AppData\Local\Temp\51396197.exe
C:\Users\Admin\AppData\Local\Temp\51396197.exe
2⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\51396197.exe
C:\Users\Admin\AppData\Local\Temp\51396197.exe
2⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\51396197.exe
C:\Users\Admin\AppData\Local\Temp\51396197.exe
2⤵
PID:764

memory/764-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/764-70-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/764-71-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/792-54-0x00000000001B0000-0x0000000000232000-memory.dmp

Filesize
520KB

Download
memory/792-55-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/792-56-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download