redline | dfc12b2020fd2c48d9cb0807e63df04adc844ed35db9c6960425f1ace79d64b2

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 08:19

Target

file.exe
Size

351KB
MD5

74c777e44f694389910bf3e9b76fd95f
SHA1

4fbf5d9ef3a0e889e171cf3b119c1af995b332fe
SHA256

dfc12b2020fd2c48d9cb0807e63df04adc844ed35db9c6960425f1ace79d64b2
SHA512

87f75420e842244e98d507a005b1b4d45802886484cfc654bd75d38ffbbfe2acdbc902a282fbb1a2524c766b73adf1712ba0fb6959a7e0dd9443adc38439ec3d
SSDEEP

6144:kDquepOMzRA4LmEFwzT4w2BqAqAODk7Ua1mSgReaYo5yEl4+nK483:kDquIOMzRA4LYRtIUaiYoBQ3

Score

10^/10

Family

redline

Botnet

1310

79.137.192.57:48771

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/95908-56-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/95908-61-0x000000000042216E-mapping.dmp	family_redline
behavioral1/memory/95908-63-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/95908-62-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 95908	1452	file.exe	27

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27
PID 1452 wrote to memory of 95908	1452	file.exe	27

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:95908

memory/95908-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/95908-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/95908-61-0x000000000042216E-mapping.dmp

Download
memory/95908-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/95908-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/95908-64-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download