redline | 2da30d32c89579b2f31dd1de4c0ea0df0a446feef8a69af55334515369d0263c

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2023 09:56

Target

SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe
Size

1.2MB
MD5

19df906dcc6832150ea885afe1b37066
SHA1

a20000afc543feed9361567c347594e9c7e8b085
SHA256

2da30d32c89579b2f31dd1de4c0ea0df0a446feef8a69af55334515369d0263c
SHA512

730ca84fab9250ce54ac49571cf0004211cabb4769a2bb86c17afefc757c180e09d2a90d0db18a4176ca974ff328e4b7bd8b59606dd5dc719290752f4bc81240
SSDEEP

12288:2s9fXUfFIWfTC0xzIBo4swnD9fvtvYSgry:2soF1nxzIV1vt7O

Score

10^/10

Family

redline

Botnet

6179190088

dolma.top:40309

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86
PID 4676 wrote to memory of 1056	4676	SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe	86

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.465956.29298.4898.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1056

memory/1056-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-134-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/1056-135-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/1056-136-0x00000000050E0000-0x00000000051EA000-memory.dmp

Filesize
1.0MB

Download
memory/1056-137-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/1056-138-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/1056-139-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download