redline | 3377ef220da5410f08f344b05e0478492960a238e51055495f0112f3207f2ab5

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 15:34

Target

4493hvqJuniILmZeHYaqmrTWsgHd.exe
Size

14.4MB
MD5

6b0cd578e48d14ee52881cd8848c1d6f
SHA1

2c181b10930567a7ec806a2b3289b58bba705547
SHA256

3377ef220da5410f08f344b05e0478492960a238e51055495f0112f3207f2ab5
SHA512

7cc7a6a1980d9a189807cd1e3556516d91f28ca88156caeb2247fe87ce36821823730638dfb59df1c018417af0ea26b91cb6d9fbe4714320e5d6770a697721fb
SSDEEP

196608:Ql4lapsb2FYXSRUTuNAPqZcrG1IniBEj+9wf6JM7I:

Score

10^/10

Family

redline

Botnet

TestJPG01

77.73.134.70:33110

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81
PID 432 wrote to memory of 2716	432	4493hvqJuniILmZeHYaqmrTWsgHd.exe	81

C:\Users\Admin\AppData\Local\Temp\4493hvqJuniILmZeHYaqmrTWsgHd.exe
"C:\Users\Admin\AppData\Local\Temp\4493hvqJuniILmZeHYaqmrTWsgHd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\4493hvqJuniILmZeHYaqmrTWsgHd.exe
  "C:\Users\Admin\AppData\Local\Temp\4493hvqJuniILmZeHYaqmrTWsgHd.exe"
  2⤵
  PID:2716

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4493hvqJuniILmZeHYaqmrTWsgHd.exe.log

Filesize
617B

MD5
806dff23883c0aa6dcb04133b1380075

SHA1
ab9c711b18ac9edbd41966b3495f837746dbc146

SHA256
b58a668ac53e656011a581a7c1ce3d763b8120487f3017a5881298a588a34e17

SHA512
42ff1897d652e4bf0467e402a9386501810db93d1e18824bb61ec231d50ae9dabed04043cd60996cd508fd3e495825bb02acb5d7619e20773f9bdc5c453017b6

Download Submit
memory/432-134-0x00000000007D0000-0x0000000001642000-memory.dmp

Filesize
14.4MB

Download
memory/432-135-0x0000000006870000-0x0000000006E14000-memory.dmp

Filesize
5.6MB

Download
memory/432-136-0x00000000063C0000-0x000000000645C000-memory.dmp

Filesize
624KB

Download
memory/2716-137-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-140-0x00000000061E0000-0x00000000067F8000-memory.dmp

Filesize
6.1MB

Download
memory/2716-141-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/2716-142-0x0000000005CF0000-0x0000000005DFA000-memory.dmp

Filesize
1.0MB

Download
memory/2716-143-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

Filesize
64KB

Download
memory/2716-144-0x0000000005C20000-0x0000000005C5C000-memory.dmp

Filesize
240KB

Download
memory/2716-145-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

Filesize
64KB

Download