redline | 0dbe2f4c9fb1df2da8f350a6b100051a9870c507893306e438a5043440515cf3

Analysis

max time kernel
248s
max time network
544s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 13:15

Target

ALMV Launcher.exe
Size

742.6MB
MD5

8cddcf405a72b2d981532e1d3e17699f
SHA1

f7bfb31a2c1bf54f7ef880239056b1856630d664
SHA256

859185aee0c38ff110e5f3db1540ad2652e9169ebb96bdf4c9712687e6221371
SHA512

0574f3d8949a8b0699559ff94ce78d186506b01e1332075d55860e0db2ee9a051e0ae9e7af2481866061d5cdc0ea2d47633c34089e16da66dd430490bb8312ca
SSDEEP

12288:7TFXGNy0issp5HNisIMCpzXoeU7WS86Og5MGdaUjbIh9/sWr:fxbssp5H1IMCpTo+KX

Score

10^/10

Family

redline

Botnet

almv

79.137.199.206:45354

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

ALMV Launcher.exe

description pid process target process

PID 2036 set thread context of 3408 2036 ALMV Launcher.exe AddInProcess32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2432 2036 WerFault.exe ALMV Launcher.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AddInProcess32.exe

pid process

3408 AddInProcess32.exe
3408 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AddInProcess32.exe

description pid process

Token: SeDebugPrivilege 3408 AddInProcess32.exe

description	pid	process	target process
PID 2036 set thread context of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe

pid	pid_target	process	target process
2432	2036	WerFault.exe	ALMV Launcher.exe

pid	process
3408	AddInProcess32.exe
3408	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	3408	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ALMV Launcher.exe

description	pid	process	target process
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe
PID 2036 wrote to memory of 3408	2036	ALMV Launcher.exe	AddInProcess32.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 572
2⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2036 -ip 2036
1⤵
PID:1792

memory/3408-132-0x0000000000000000-mapping.dmp

Download
memory/3408-133-0x0000000000C00000-0x0000000000C36000-memory.dmp

Filesize
216KB

Download
memory/3408-134-0x00000000056A0000-0x0000000005CB8000-memory.dmp

Filesize
6.1MB

Download
memory/3408-135-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/3408-136-0x00000000051B0000-0x00000000052BA000-memory.dmp

Filesize
1.0MB

Download
memory/3408-137-0x00000000050E0000-0x000000000511C000-memory.dmp

Filesize
240KB

Download
memory/3408-138-0x0000000005E00000-0x0000000005E92000-memory.dmp

Filesize
584KB

Download
memory/3408-139-0x0000000006450000-0x00000000069F4000-memory.dmp

Filesize
5.6MB

Download
memory/3408-140-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3408-141-0x0000000007780000-0x0000000007942000-memory.dmp

Filesize
1.8MB

Download
memory/3408-142-0x0000000007E80000-0x00000000083AC000-memory.dmp

Filesize
5.2MB

Download
memory/3408-143-0x0000000006C40000-0x0000000006CB6000-memory.dmp

Filesize
472KB

Download
memory/3408-144-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download