redline | f91fa2060c2f01f47c27a87ec0e64c02e5f9bc25e645bd5ca83c3c06b8ab63bf

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2023 13:50

Target

ProtonVPN.exe
Size

3.4MB
MD5

f900e0fa80afacf148edde94dc886426
SHA1

d44fc8bbd2307358a3a238426f577d2954626c49
SHA256

f91fa2060c2f01f47c27a87ec0e64c02e5f9bc25e645bd5ca83c3c06b8ab63bf
SHA512

d184380a2c1a3355260b91b6b88bea392f2f9dcd9bb8e2a19c2397ec5c450eef8a9f9a213142e0a1c2c9a49f904aecf291660dbf002905f094f1ba7ca61279d3
SSDEEP

98304:S9phoap/5L59WJUNw4U2xp3Qf/yaxP/WxCnNCp:wpe2/5L5kExKqCsCN8

Score

10^/10

Family

redline

185.215.113.83:60722

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/5108-136-0x0000000000500000-0x0000000000520000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 5108	4224	ProtonVPN.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3444	4224	WerFault.exe	84

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 5108	4224	ProtonVPN.exe	85
PID 4224 wrote to memory of 5108	4224	ProtonVPN.exe	85
PID 4224 wrote to memory of 5108	4224	ProtonVPN.exe	85
PID 4224 wrote to memory of 5108	4224	ProtonVPN.exe	85
PID 4224 wrote to memory of 5108	4224	ProtonVPN.exe	85

C:\Users\Admin\AppData\Local\Temp\ProtonVPN.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonVPN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 448
  2⤵
  - Program crash
  PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4224 -ip 4224
1⤵
PID:4192

memory/4224-148-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/4224-145-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4224-142-0x00000000026F0000-0x0000000002750000-memory.dmp

Filesize
384KB

Download
memory/4224-143-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/4224-133-0x0000000000400000-0x000000000093B000-memory.dmp

Filesize
5.2MB

Download
memory/4224-140-0x0000000000400000-0x000000000093B000-memory.dmp

Filesize
5.2MB

Download
memory/4224-147-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/4224-146-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/4224-144-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/5108-136-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/5108-149-0x0000000004FC0000-0x00000000055D8000-memory.dmp

Filesize
6.1MB

Download
memory/5108-150-0x00000000049A0000-0x00000000049B2000-memory.dmp

Filesize
72KB

Download
memory/5108-151-0x0000000004AD0000-0x0000000004BDA000-memory.dmp

Filesize
1.0MB

Download
memory/5108-152-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/5108-153-0x0000000004A00000-0x0000000004A3C000-memory.dmp

Filesize
240KB

Download
memory/5108-155-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download