redline | 41b88d86f1edce5ff233e6517a49486bd4fa572edf6561ef187c765916c1c3af

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26/04/2023, 06:04

Target

ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe
Size

787KB
MD5

e7f3c79a7ccdbb0d41bddedcba03af91
SHA1

fc6f3f5921f4608bd394a6e3eb1a6dc1cec53209
SHA256

ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1
SHA512

e84c0ff61a3a104378e0a34ed78b0cf7561c8a39889928649251332e9b6b0803469d53a0dc8ac6d5216c518ebe3cece0bd0d378791756e3978cd9fc5ffa7f969
SSDEEP

24576:b1tRxsHztPruUBL4dtl/UhebsgaReNHTvaTC3c:RxqNtLIfEebNHbaus

Score

10^/10

Family

redline

37.220.87.13:48790

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29
PID 1544 wrote to memory of 1808	1544	ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe	29

C:\Users\Admin\AppData\Local\Temp\ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe
"C:\Users\Admin\AppData\Local\Temp\ab91e4803417bc6c3414ce4ac7f80f181d742d79e8756d64ca4833bef0ac9ff1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1808

memory/1808-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download