redline | f21fed5b0a799f25d9fd762f48c8fdebdd27f449054c1d450e2559deb24738c5

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 11:38

Target

082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe
Size

99KB
MD5

18a22e4ad04b2d1a26942d03b92b3e45
SHA1

e197ac792395e8a4b06ab424d28b3517a39ab4e4
SHA256

082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b
SHA512

164a0a449f2c533917394befad407590084dd3abed1c450dfa566503d166f5705b85831b7dfedc15d81ff05f911ef747b618005d89c3924ae95784961521c0dd
SSDEEP

3072:bqcYQlllllllllllllllllllllllKlufsAOomJI8yIdSudgJs9TS:bxlllllllllllllllllllllllKliOomT

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2032-54-0x00000000008D0000-0x00000000008F0000-memory.dmp	family_redline

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1984 2032 WerFault.exe 082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe

pid	pid_target	process	target process
1984	2032	WerFault.exe	082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe

description	pid	process	target process
PID 2032 wrote to memory of 1984	2032	082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe	WerFault.exe
PID 2032 wrote to memory of 1984	2032	082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe	WerFault.exe
PID 2032 wrote to memory of 1984	2032	082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe	WerFault.exe
PID 2032 wrote to memory of 1984	2032	082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe
"C:\Users\Admin\AppData\Local\Temp\082b7777e4bdfea87015007adef8a73b6eef9d6b5454985561ed1b9d29c3f35b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 528
2⤵
- Program crash
PID:1984

memory/2032-54-0x00000000008D0000-0x00000000008F0000-memory.dmp

Filesize
128KB

Download