redline | 097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567

Analysis

max time kernel
292s
max time network
300s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-11-2022 08:21

Target

097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe
Size

2.4MB
MD5

498439e04b8910a83efa090fc5cab860
SHA1

fb00f73b123b39e0afe513252b02294ac88ec23e
SHA256

097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567
SHA512

5762c3af49b34d56c121855422a03d021c86d0708e7d0ba3b866d3978ef06fc973142459fda305f2b0d016777595bb613bd8bc7e1c0cecdf4328d7cbed6c1149
SSDEEP

24576:sbtIOSYgYszi9a1MfBo6erYVt16pG5AB0Pv+CUr9mJSBILa0daD/zsl3RuQ5531U:s5IJh/G5ACn+CUrgJSBI+0dll3a

Score

10^/10

Family

redline

Botnet

@gentlemen12348

185.106.92.226:40788

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/148580-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/148580-61-0x000000000041ADDA-mapping.dmp	family_redline
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000560000-memory.dmp	family_redline
behavioral1/memory/148580-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/148580-64-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27
PID 2020 wrote to memory of 148580	2020	097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe	27

C:\Users\Admin\AppData\Local\Temp\097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe
"C:\Users\Admin\AppData\Local\Temp\097801f0775cebf4636748c142b73e2007c8f5b4013a295588361355e0946567.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:148580

memory/2020-63-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/148580-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148580-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148580-61-0x000000000041ADDA-mapping.dmp

Download
memory/148580-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148580-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/148580-65-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download