redline | 502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2022 14:04

Target

mal.exe
Size

1.5MB
MD5

84d23b22008035354bbabc93aa8d5da7
SHA1

eb776a76b6691a6151b3a4cfcbd5ae6ac5bcf8f6
SHA256

502c32dd4ce9820711f0840c33e7de4c69617802160870e2a4f02690ae28029c
SHA512

1f24991660fffff3ffd42d039a4598625bdc9b0c1e331d8c6145095c207dd4639af5144b275c60a811091edc86433e261d4bd8b56feec229dfb6cce70c9df67d

Score

10^/10

Family

redline

Botnet

45.76.223.107:25950

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1032-138-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

mal.exe

description pid process target process

PID 1036 set thread context of 1032 1036 mal.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

mal.exe

pid process

1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe
1036 mal.exe

description	pid	process	target process
PID 1036 set thread context of 1032	1036	mal.exe	InstallUtil.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

mal.exe

description	pid	process	target process
PID 1036 wrote to memory of 1032	1036	mal.exe	InstallUtil.exe
PID 1036 wrote to memory of 1032	1036	mal.exe	InstallUtil.exe
PID 1036 wrote to memory of 1032	1036	mal.exe	InstallUtil.exe
PID 1036 wrote to memory of 1032	1036	mal.exe	InstallUtil.exe
PID 1036 wrote to memory of 1032	1036	mal.exe	InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
PID:1032

memory/1032-135-0x0000000000000000-mapping.dmp

Download
memory/1032-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1032-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1032-140-0x0000000005B80000-0x0000000006198000-memory.dmp

Filesize
6.1MB

Download
memory/1032-141-0x0000000005620000-0x0000000005632000-memory.dmp

Filesize
72KB

Download
memory/1032-142-0x0000000005750000-0x000000000585A000-memory.dmp

Filesize
1.0MB

Download
memory/1032-143-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/1036-132-0x00000000024AB000-0x0000000002B40000-memory.dmp

Filesize
6.6MB

Download
memory/1036-133-0x00000000022EF000-0x000000000243C000-memory.dmp

Filesize
1.3MB

Download
memory/1036-134-0x0000000010F90000-0x00000000110AA000-memory.dmp

Filesize
1.1MB

Download
memory/1036-139-0x00000000022EF000-0x000000000243C000-memory.dmp

Filesize
1.3MB

Download