redline | bd7bdf1fe2307d49c71109ee8a7759b1919bccf1f0e6ee3daa76cf3834d7e3be

Analysis

Target

70.exe
Size

295KB
MD5

d5a4071b7a2b6f45c5178f636bfa1b93
SHA1

89f57ed6b2659e21bdc10c4e7d80efb339d13b3a
SHA256

bd7bdf1fe2307d49c71109ee8a7759b1919bccf1f0e6ee3daa76cf3834d7e3be
SHA512

35d5e7f58fef352d1ed74fbd22fb4da226e0fbc46324ecc34475bd0ee16ce8ab006d165e52d5444c77f4f14abd6a724dcf121dba47e1db9ccf94360394db9e66

Score

10^/10

Family

redline

Botnet

89.22.227.236:22009

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/932-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/932-61-0x000000000041ADD6-mapping.dmp	family_redline
behavioral1/memory/932-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/932-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

70.exe

description pid process target process

PID 884 set thread context of 932 884 70.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1192 884 WerFault.exe 70.exe

description	pid	process	target process
PID 884 set thread context of 932	884	70.exe	AppLaunch.exe

pid	pid_target	process	target process
1192	884	WerFault.exe	70.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

70.exe

description	pid	process	target process
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 932	884	70.exe	AppLaunch.exe
PID 884 wrote to memory of 1192	884	70.exe	WerFault.exe
PID 884 wrote to memory of 1192	884	70.exe	WerFault.exe
PID 884 wrote to memory of 1192	884	70.exe	WerFault.exe
PID 884 wrote to memory of 1192	884	70.exe	WerFault.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 112
2⤵
- Program crash
PID:1192

memory/932-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/932-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/932-61-0x000000000041ADD6-mapping.dmp

Download
memory/932-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/932-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/932-64-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/1192-65-0x0000000000000000-mapping.dmp

Download