redline | e4331c8eab3a20db74f66603fac6ff6a3faca677176a4015dea2a4665fb3f13f

Analysis

Target

Mopes Hack.exe
Size

326KB
MD5

83e60135c26872fa756fcb26553be6cb
SHA1

3df616b4b4df6faba9373f78dac9a277c07cb26a
SHA256

e4331c8eab3a20db74f66603fac6ff6a3faca677176a4015dea2a4665fb3f13f
SHA512

10834fa839db185629dfce92da2334d4c69dc05041ee045c08610085febeebac054f6c5b64e5a1e259ca06144e6bdc0a91a56acbba130dd6e0aeeb8cfbb67b26

Score

10^/10

Family

redline

Botnet

@silistrii_LZT

arujuyrana.xyz:80

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1760-55-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1760-60-0x000000000041B246-mapping.dmp	family_redline
behavioral1/memory/1760-61-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1760-62-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

Mopes Hack.exe

description pid process target process

PID 1548 set thread context of 1760 1548 Mopes Hack.exe AppLaunch.exe

description	pid	process	target process
PID 1548 set thread context of 1760	1548	Mopes Hack.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Mopes Hack.exe

description	pid	process	target process
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe
PID 1548 wrote to memory of 1760	1548	Mopes Hack.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1760

memory/1760-54-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1760-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1760-60-0x000000000041B246-mapping.dmp

Download
memory/1760-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1760-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1760-63-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1760-64-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1760-66-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download