redline | 1d4a0580be6b2711dd97bf8313dfd53b1168b16bb8645875c7118b536675f7ff

Analysis

max time kernel
124s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 12:40

Target

Adobe.exe
Size

1.2MB
MD5

a13821ca38de4c4967587323c42ef684
SHA1

1623c9de5259537ec3787633c66c220f96190c50
SHA256

1d4a0580be6b2711dd97bf8313dfd53b1168b16bb8645875c7118b536675f7ff
SHA512

f956668df44f96806a2ad8be221981dfa011b23709682d405e8f71db3f3b09ceb26f4e22ce0dc6f4ee8ea9102b2bf5c25430d502f0b4aed9fe1c024680a60e7f
SSDEEP

24576:hxBVEe/oZNm1Fq5z0HS51Y9hrlFLRsmk:hDGgoZNm1Q5t5C9HZR

Score

10^/10

Family

redline

Botnet

12-09

20.100.11.120:6677

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4884-139-0x0000000000400000-0x0000000000474000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 4884	3540	Adobe.exe	91

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91
PID 3540 wrote to memory of 4884	3540	Adobe.exe	91

C:\Users\Admin\AppData\Local\Temp\Adobe.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\Adobe.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe.exe"
  2⤵
  PID:4884

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
memory/3540-133-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/3540-134-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/3540-135-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/3540-136-0x0000000008090000-0x000000000812C000-memory.dmp

Filesize
624KB

Download
memory/3540-137-0x0000000000FD0000-0x0000000001036000-memory.dmp

Filesize
408KB

Download
memory/3540-132-0x00000000008D0000-0x0000000000A04000-memory.dmp

Filesize
1.2MB

Download
memory/4884-138-0x0000000000000000-mapping.dmp

Download
memory/4884-139-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4884-141-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/4884-142-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/4884-143-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/4884-144-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download