redline | 5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 04:00

Target

cd2436f1cec484076be83744b0d4e87f.exe
Size

2.4MB
MD5

cd2436f1cec484076be83744b0d4e87f
SHA1

425319f0e8add17e8f430087ba590190dfbf5250
SHA256

5be845902145831466d3b710541d2c5a53cfc50108126c8802b48226e89e1887
SHA512

b465013ef79f6d16dae386c5b05995b3e95167bfdc49363b93679f33e5c46686edf30ce921c6e60aa62526e2c36bf7f529f217a18c496002e028d90306fd9ab1
SSDEEP

24576:pE+5OCYAY49zG/F2Mgeo6erV6X16+vHJrQdPFc3w5TTGgLNMuKbl3RuQ55313b:pN59R8vHJitc3w5TTGgpCl3N

Score

10^/10

Family

redline

Botnet

@forceddd_lzt

5.182.36.101:31305

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/memory/2884-132-0x0000000000400000-0x0000000000560000-memory.dmp	family_redline
behavioral2/memory/150644-134-0x0000000000570000-0x0000000000590000-memory.dmp	family_redline
behavioral2/memory/2884-139-0x0000000000400000-0x0000000000560000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 150644	2884	cd2436f1cec484076be83744b0d4e87f.exe	82

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 150644	2884	cd2436f1cec484076be83744b0d4e87f.exe	82
PID 2884 wrote to memory of 150644	2884	cd2436f1cec484076be83744b0d4e87f.exe	82
PID 2884 wrote to memory of 150644	2884	cd2436f1cec484076be83744b0d4e87f.exe	82
PID 2884 wrote to memory of 150644	2884	cd2436f1cec484076be83744b0d4e87f.exe	82
PID 2884 wrote to memory of 150644	2884	cd2436f1cec484076be83744b0d4e87f.exe	82

C:\Users\Admin\AppData\Local\Temp\cd2436f1cec484076be83744b0d4e87f.exe
"C:\Users\Admin\AppData\Local\Temp\cd2436f1cec484076be83744b0d4e87f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:150644

memory/2884-132-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2884-139-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/150644-134-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/150644-140-0x00000000050E0000-0x00000000056F8000-memory.dmp

Filesize
6.1MB

Download
memory/150644-141-0x0000000004B60000-0x0000000004B72000-memory.dmp

Filesize
72KB

Download
memory/150644-142-0x0000000004C90000-0x0000000004D9A000-memory.dmp

Filesize
1.0MB

Download
memory/150644-143-0x0000000004BC0000-0x0000000004BFC000-memory.dmp

Filesize
240KB

Download