redline | 47aea7aea579cb10266d4d100542eeeb3ec6864a1e4b26f21231b29020e0bfb3

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 01:40

Target

b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe
Size

243KB
MD5

6d3a88a202ef9616439751588421a6de
SHA1

36830e973c50a88f0e49a201730af3e04c995c1f
SHA256

b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876
SHA512

59238849991a211296921af9861040bb35d0737f49320a6480d490af73509cc53f97a1c096e977a0dafb4c931bdbb7767c396e2340d9e67357c12608bd37cafd
SSDEEP

3072:YQLkmP451iuiDJYFPINDXQ38UT5xS5FEOcuuaKthrHeRKYIbWpu4E5I8:rLkmAkoKuOpudeRCKpui8

Score

10^/10

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

147.135.165.22:17748

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28
PID 2312 wrote to memory of 2080	2312	b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe	28

C:\Users\Admin\AppData\Local\Temp\b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe
"C:\Users\Admin\AppData\Local\Temp\b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe
  "C:\Users\Admin\AppData\Local\Temp\b57de37a80f74078a963dfc2ef5881250be4935b0dce103af1e1479195c09876.exe"
  2⤵
  PID:2080

memory/2080-66-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2080-67-0x0000000001ED0000-0x0000000001F04000-memory.dmp

Filesize
208KB

Download
memory/2080-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-71-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2080-65-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2080-64-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-63-0x0000000001E90000-0x0000000001EC8000-memory.dmp

Filesize
224KB

Download
memory/2080-68-0x0000000002000000-0x0000000002006000-memory.dmp

Filesize
24KB

Download
memory/2080-69-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2312-55-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2312-58-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download