redline | 20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75

General

Target

20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe
Size

3.6MB
MD5

4f1c1dee549fe45bfc4d69f251c3bbfe
SHA1

2771a162d86f1658a37ad50b55e73c38ebf4459a
SHA256

20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75
SHA512

15b3d64c333e679a37661a21bff192cb6e76f63b3a1b409ae1ec1401893b77d9b76bafff01b3efbdcf7e15a60b55c4f424a161772423c264a3c64d8405255581

Score

10^/10

Family

redline

Botnet

test1

C2

disandillanne.xyz:80

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1184-67-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1184-72-0x00000000004191AE-mapping.dmp	family_redline
behavioral1/memory/1184-73-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1184-74-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe

description	pid	process	target process
PID 324 set thread context of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe

description	pid	process	target process
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe
PID 324 wrote to memory of 1184	324	20144ac4b35cda8d0df43bacffb09aaa82e61c367001d87bd80e233127c41f75.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1184

memory/324-54-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/324-55-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/324-56-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/324-58-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/324-57-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/324-60-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/324-63-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/324-64-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/1184-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1184-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1184-72-0x00000000004191AE-mapping.dmp

Download
memory/1184-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1184-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download