redline | 118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5

General

Target

118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe
Size

3.6MB
MD5

34a6cfdf1745cec12dfbbf98c3b9f9e5
SHA1

11727439dc908ac568b280e9ce83a0abe013df20
SHA256

118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5
SHA512

5e021c59b6aba8029ba22fffcd947502b1901759501338f5b806b35928fd29b5d780121ed923cd209eb8ad4b950d11a134566b9c647d3c6f8a25e95b84138437

Score

10^/10

redline test1 infostealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

disandillanne.xyz:80

Attributes

auth_value
49b58bceac3797b6c21fd0772031e010

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-60-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1960-66-0x00000000004191AE-mapping.dmp	family_redline
behavioral1/memory/1960-67-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1960-69-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe

description	pid	process	target process
PID 1964 set thread context of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe

description	pid	process	target process
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe
PID 1964 wrote to memory of 1960	1964	118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe
"C:\Users\Admin\AppData\Local\Temp\118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-79-0x0000000074090000-0x00000000740B0000-memory.dmp

Filesize
128KB

Download
memory/1960-80-0x000000006D730000-0x000000006DE6E000-memory.dmp

Filesize
7.2MB

Download
memory/1960-74-0x00000000742F0000-0x00000000746E3000-memory.dmp

Filesize
3.9MB

Download
memory/1960-75-0x0000000070C60000-0x000000007180E000-memory.dmp

Filesize
11.7MB

Download
memory/1960-73-0x0000000071810000-0x0000000071FF0000-memory.dmp

Filesize
7.9MB

Download
memory/1960-66-0x00000000004191AE-mapping.dmp

Download
memory/1960-85-0x0000000071FF0000-0x0000000072A00000-memory.dmp

Filesize
10.1MB

Download
memory/1960-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-70-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1960-71-0x0000000072A00000-0x0000000073D8F000-memory.dmp

Filesize
19.6MB

Download
memory/1960-72-0x0000000071FF0000-0x0000000072A00000-memory.dmp

Filesize
10.1MB

Download
memory/1960-86-0x000000006E420000-0x000000006F72F000-memory.dmp

Filesize
19.1MB

Download
memory/1960-84-0x0000000072A00000-0x0000000073D8F000-memory.dmp

Filesize
19.6MB

Download
memory/1960-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-76-0x000000006F950000-0x0000000070C57000-memory.dmp

Filesize
19.0MB

Download
memory/1960-77-0x000000006E130000-0x000000006E418000-memory.dmp

Filesize
2.9MB

Download
memory/1960-78-0x000000006DE70000-0x000000006E12B000-memory.dmp

Filesize
2.7MB

Download
memory/1960-83-0x000000006E420000-0x000000006F72F000-memory.dmp

Filesize
19.1MB

Download
memory/1960-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1960-81-0x000000006D660000-0x000000006D729000-memory.dmp

Filesize
804KB

Download
memory/1960-82-0x000000006D560000-0x000000006D65C000-memory.dmp

Filesize
1008KB

Download
memory/1964-54-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/1964-59-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/1964-68-0x0000000000400000-0x00000000009E8000-memory.dmp

Filesize
5.9MB

Download
memory/1964-61-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads