redline | 1176b04e2fafb75121c0123af0056d080ef97bf98f4fef47ffd7a48d55910db8

Analysis

Target

88600217.exe
Size

4.6MB
MD5

42c773c233daa41deb6cd9aaa3265a1f
SHA1

3178217f4cb7cbd95a6f286717800a8a48bb4fd7
SHA256

1176b04e2fafb75121c0123af0056d080ef97bf98f4fef47ffd7a48d55910db8
SHA512

bae421dc2ba0fb0b99b2f2155e16a575ba3299ef9f341b6110af95dfda8caf6e3c8dc36f182fd14f17adacc59eee160c655244b7e44ace6d9df043b130617071

Score

10^/10

Family

redline

Botnet

@zhilsholi

yabynennet.xyz:81

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2772-136-0x0000000000430000-0x0000000000450000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

88600217.exe

description pid process target process

PID 1516 set thread context of 2772 1516 88600217.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

88600217.exe

pid process

1516 88600217.exe
1516 88600217.exe

description	pid	process	target process
PID 1516 set thread context of 2772	1516	88600217.exe	AppLaunch.exe

pid	process
1516	88600217.exe
1516	88600217.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

88600217.exe

description	pid	process	target process
PID 1516 wrote to memory of 2772	1516	88600217.exe	AppLaunch.exe
PID 1516 wrote to memory of 2772	1516	88600217.exe	AppLaunch.exe
PID 1516 wrote to memory of 2772	1516	88600217.exe	AppLaunch.exe
PID 1516 wrote to memory of 2772	1516	88600217.exe	AppLaunch.exe
PID 1516 wrote to memory of 2772	1516	88600217.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2772

memory/1516-130-0x00000000026E0000-0x0000000002740000-memory.dmp

Filesize
384KB

Download
memory/1516-131-0x0000000000400000-0x000000000093D000-memory.dmp

Filesize
5.2MB

Download
memory/1516-133-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1516-134-0x0000000000400000-0x000000000093D000-memory.dmp

Filesize
5.2MB

Download
memory/1516-141-0x0000000000400000-0x000000000093D000-memory.dmp

Filesize
5.2MB

Download
memory/2772-135-0x0000000000000000-mapping.dmp

Download
memory/2772-136-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/2772-142-0x0000000004F80000-0x0000000005598000-memory.dmp

Filesize
6.1MB

Download
memory/2772-143-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/2772-144-0x0000000004B50000-0x0000000004C5A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-145-0x0000000004A80000-0x0000000004ABC000-memory.dmp

Filesize
240KB

Download