redline | a8946790919846ad03640f1ac35962e092e96ba02344a004a65eae31c7080d17

Analysis

Target

1c5c68369bf3d0d615edfc3d760070f7.exe
Size

2.4MB
MD5

1c5c68369bf3d0d615edfc3d760070f7
SHA1

ccb0d2e9f74b55b77313dbbb01024161b6ad9112
SHA256

a8946790919846ad03640f1ac35962e092e96ba02344a004a65eae31c7080d17
SHA512

082935677bc3b2277dd5d404072307f5fbeb10c3acdee601a1abef7f95a9fa61d8c4fe59d31d217ebce4c8ac7ec843b7b92a298a5eca5ce7230bf58ef49f0caa

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

1c5c68369bf3d0d615edfc3d760070f7.exe

description pid process target process

PID 4836 set thread context of 346968 4836 1c5c68369bf3d0d615edfc3d760070f7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

347124 4836 WerFault.exe 1c5c68369bf3d0d615edfc3d760070f7.exe

description	pid	process	target process
PID 4836 set thread context of 346968	4836	1c5c68369bf3d0d615edfc3d760070f7.exe	AppLaunch.exe

pid	pid_target	process	target process
347124	4836	WerFault.exe	1c5c68369bf3d0d615edfc3d760070f7.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1c5c68369bf3d0d615edfc3d760070f7.exeAppLaunch.exe

description	pid	process	target process
PID 4836 wrote to memory of 346968	4836	1c5c68369bf3d0d615edfc3d760070f7.exe	AppLaunch.exe
PID 4836 wrote to memory of 346968	4836	1c5c68369bf3d0d615edfc3d760070f7.exe	AppLaunch.exe
PID 4836 wrote to memory of 346968	4836	1c5c68369bf3d0d615edfc3d760070f7.exe	AppLaunch.exe
PID 4836 wrote to memory of 346968	4836	1c5c68369bf3d0d615edfc3d760070f7.exe	AppLaunch.exe
PID 4836 wrote to memory of 346968	4836	1c5c68369bf3d0d615edfc3d760070f7.exe	AppLaunch.exe
PID 346968 wrote to memory of 347032	346968	AppLaunch.exe	AppLaunch.exe
PID 346968 wrote to memory of 347032	346968	AppLaunch.exe	AppLaunch.exe
PID 346968 wrote to memory of 347032	346968	AppLaunch.exe	AppLaunch.exe
PID 346968 wrote to memory of 347052	346968	AppLaunch.exe	AppLaunch.exe
PID 346968 wrote to memory of 347052	346968	AppLaunch.exe	AppLaunch.exe
PID 346968 wrote to memory of 347052	346968	AppLaunch.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:346968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:347032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:347052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 344092
2⤵
- Program crash
PID:347124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
1⤵
PID:347084

memory/346968-130-0x0000000000000000-mapping.dmp

Download
memory/346968-131-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/346968-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/347032-138-0x0000000000000000-mapping.dmp

Download
memory/347052-139-0x0000000000000000-mapping.dmp

Download