redline | c0f013c38ae330b1c1eccca933a463558f69a3aed67b3b9d902bfd3611cbf105

General

Target

509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
Size

2.3MB
MD5

addd93ff7bf2e53744e25b39e6057547
SHA1

b64ef50db800a0850a7fa89a7f5d13977ac3f1d3
SHA256

509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7
SHA512

7cb1ad47627b2b5958ece2bf6d509acb89a62f0f0429f24b792701bd8986c3f77cf7ec126acad257ccce6965e77908a27e43620829927cc1b3032f9218756254

Score

10^/10

redline 1 infostealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

denverbbq.net:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-60-0x0000000000370000-0x00000000003A0000-memory.dmp	family_redline
behavioral1/memory/1668-61-0x0000000000440000-0x000000000046E000-memory.dmp	family_redline

Blocklisted process makes network request 64 IoCs

Processes:

cmd.exe

flow	pid	process
2	1668	cmd.exe
3	1668	cmd.exe
4	1668	cmd.exe
5	1668	cmd.exe
6	1668	cmd.exe
7	1668	cmd.exe
8	1668	cmd.exe
9	1668	cmd.exe
10	1668	cmd.exe
11	1668	cmd.exe
12	1668	cmd.exe
13	1668	cmd.exe
14	1668	cmd.exe
15	1668	cmd.exe
16	1668	cmd.exe
17	1668	cmd.exe
18	1668	cmd.exe
19	1668	cmd.exe
21	1668	cmd.exe
22	1668	cmd.exe
23	1668	cmd.exe
24	1668	cmd.exe
25	1668	cmd.exe
26	1668	cmd.exe
27	1668	cmd.exe
28	1668	cmd.exe
29	1668	cmd.exe
30	1668	cmd.exe
31	1668	cmd.exe
32	1668	cmd.exe
33	1668	cmd.exe
34	1668	cmd.exe
35	1668	cmd.exe
36	1668	cmd.exe
37	1668	cmd.exe
38	1668	cmd.exe
39	1668	cmd.exe
40	1668	cmd.exe
41	1668	cmd.exe
42	1668	cmd.exe
43	1668	cmd.exe
44	1668	cmd.exe
45	1668	cmd.exe
46	1668	cmd.exe
47	1668	cmd.exe
48	1668	cmd.exe
49	1668	cmd.exe
50	1668	cmd.exe
51	1668	cmd.exe
52	1668	cmd.exe
53	1668	cmd.exe
54	1668	cmd.exe
55	1668	cmd.exe
56	1668	cmd.exe
57	1668	cmd.exe
58	1668	cmd.exe
59	1668	cmd.exe
60	1668	cmd.exe
61	1668	cmd.exe
62	1668	cmd.exe
63	1668	cmd.exe
64	1668	cmd.exe
65	1668	cmd.exe
66	1668	cmd.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe

pid	process
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeDebugPrivilege 1668 cmd.exe

description	pid	process
Token: SeDebugPrivilege	1668	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe

description	pid	process	target process
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe
PID 1452 wrote to memory of 1668	1452	509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe
"C:\Users\Admin\AppData\Local\Temp\509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\509f6bb22524158322b48975cd1bb634bc0d9a460389565296b640f62c31cdd7.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-56-0x00000000008C0000-0x000000000093B000-memory.dmp

Filesize
492KB

Download
memory/1452-57-0x0000000001FB0000-0x0000000002130000-memory.dmp

Filesize
1.5MB

Download
memory/1668-54-0x0000000000000000-mapping.dmp

Download
memory/1668-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-60-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/1668-61-0x0000000000440000-0x000000000046E000-memory.dmp

Filesize
184KB

Download
memory/1668-62-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1668-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads