redline | 9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 05:40

Target

9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe
Size

282KB
MD5

36c8895442519b919b04d05d196c73f4
SHA1

859f61c12f335e253f858a79ebd8a1d29e8c6404
SHA256

9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2
SHA512

f5aae082c8bc49a270bbf3903fe897485757ec5ad3a58a54efd88358c7d1a04ea4a5adb90b39c62f15f0c59ff0150b1783f76739bd216a7770c0e9f2ec65cd75
SSDEEP

6144:6QvoWvJEGHKwvTygXUNVS4MGh1aBFrvz1xcxcWhjrt:6U5hyR1aBFrvz1xcxdjrt

Score

10^/10

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 4772	3116	9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
616	3116	WerFault.exe	82

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4772	3116	9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe	84
PID 3116 wrote to memory of 4772	3116	9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe	84
PID 3116 wrote to memory of 4772	3116	9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe	84
PID 3116 wrote to memory of 4772	3116	9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe	84
PID 3116 wrote to memory of 4772	3116	9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe	84

C:\Users\Admin\AppData\Local\Temp\9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe
"C:\Users\Admin\AppData\Local\Temp\9527c5ca5596b22722c968413898af54aa99836866ba1633eca5c435e658f2e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 160
  2⤵
  - Program crash
  PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3116 -ip 3116
1⤵
PID:2004

memory/4772-133-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4772-138-0x000000000B160000-0x000000000B778000-memory.dmp

Filesize
6.1MB

Download
memory/4772-139-0x000000000ACE0000-0x000000000ADEA000-memory.dmp

Filesize
1.0MB

Download
memory/4772-140-0x000000000AC20000-0x000000000AC32000-memory.dmp

Filesize
72KB

Download
memory/4772-141-0x000000000AC80000-0x000000000ACBC000-memory.dmp

Filesize
240KB

Download
memory/4772-142-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/4772-143-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download