redline | fc456589093a8fa62517604f46722a2696ff4104b4828f55b40e26985fdca24d

Analysis

Target

d11db9c62a8150cb6a0188780f503f80.exe
Size

290KB
MD5

d11db9c62a8150cb6a0188780f503f80
SHA1

bfd83c761dfd1f04cce0d25ba115c7ac698d04a2
SHA256

fc456589093a8fa62517604f46722a2696ff4104b4828f55b40e26985fdca24d
SHA512

2027dea5192396a0a319772f2b4abc7a468366e91eb92241b2940f005d10f67786cc5c28aa7c64975f30c30c8380e0ed98ca847c77537ef31916fa639b3adee9

Score

10^/10

Family

redline

Botnet

139.99.32.83:43199

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2208-131-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

d11db9c62a8150cb6a0188780f503f80.exe

description pid process target process

PID 1200 set thread context of 2208 1200 d11db9c62a8150cb6a0188780f503f80.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2924 1200 WerFault.exe d11db9c62a8150cb6a0188780f503f80.exe

description	pid	process	target process
PID 1200 set thread context of 2208	1200	d11db9c62a8150cb6a0188780f503f80.exe	AppLaunch.exe

pid	pid_target	process	target process
2924	1200	WerFault.exe	d11db9c62a8150cb6a0188780f503f80.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

d11db9c62a8150cb6a0188780f503f80.exe

description	pid	process	target process
PID 1200 wrote to memory of 2208	1200	d11db9c62a8150cb6a0188780f503f80.exe	AppLaunch.exe
PID 1200 wrote to memory of 2208	1200	d11db9c62a8150cb6a0188780f503f80.exe	AppLaunch.exe
PID 1200 wrote to memory of 2208	1200	d11db9c62a8150cb6a0188780f503f80.exe	AppLaunch.exe
PID 1200 wrote to memory of 2208	1200	d11db9c62a8150cb6a0188780f503f80.exe	AppLaunch.exe
PID 1200 wrote to memory of 2208	1200	d11db9c62a8150cb6a0188780f503f80.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 276
2⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1200 -ip 1200
1⤵
PID:2652

memory/2208-130-0x0000000000000000-mapping.dmp

Download
memory/2208-131-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2208-136-0x0000000005EA0000-0x00000000064B8000-memory.dmp

Filesize
6.1MB

Download
memory/2208-137-0x0000000005940000-0x0000000005952000-memory.dmp

Filesize
72KB

Download
memory/2208-138-0x0000000005A70000-0x0000000005B7A000-memory.dmp

Filesize
1.0MB

Download
memory/2208-139-0x00000000059A0000-0x00000000059DC000-memory.dmp

Filesize
240KB

Download