redline | f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113

Analysis

Target

NAN.exe
Size

608KB
MD5

db1e5d0455f39c5cf5ac0c210dd679c4
SHA1

836e95bd1285ff790e55a8602febb29d97187bd7
SHA256

578eddcbe98744e25e8836b7cdc447f62b7032bcd3d083f2eb0cfe018022243e
SHA512

3f349ba618510f3e76e893fb70f0bfd5c3885216d73ed024617b49878eed376789eb7d3e4d347bb84aec8d90dbd0706256cdfdfa3f99c3b2b62982d9bc5c3a25

Score

10^/10

Family

redline

Botnet

NANani

87.251.71.14:89

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/960-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral9/memory/960-57-0x000000000041A68A-mapping.dmp	family_redline
behavioral9/memory/960-58-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

NAN.exe

description pid process target process

PID 1336 set thread context of 960 1336 NAN.exe NAN.exe

description	pid	process	target process
PID 1336 set thread context of 960	1336	NAN.exe	NAN.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

NAN.exe

description	pid	process	target process
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe
PID 1336 wrote to memory of 960	1336	NAN.exe	NAN.exe

C:\Users\Admin\AppData\Local\Temp\NAN.exe
"C:\Users\Admin\AppData\Local\Temp\NAN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\NAN.exe
  C:\Users\Admin\AppData\Local\Temp\NAN.exe
  2⤵
  PID:960

memory/960-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-57-0x000000000041A68A-mapping.dmp

Download
memory/960-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-60-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1336-53-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1336-55-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download