redline | 7fcefdae6d01431202b30b4b18eac815bc05a9e6dcc18b18b5055e4942aa5be7

Analysis

max time kernel
291s
max time network
303s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-09-2023 06:11

Target

k8303888.exe
Size

419KB
MD5

5debbb56195829875cdceed4422c632c
SHA1

28f70c3d8269b56ea63495d75b03ccdfe016ea1e
SHA256

7fcefdae6d01431202b30b4b18eac815bc05a9e6dcc18b18b5055e4942aa5be7
SHA512

6006c457ba521597902c234233cd44ccc364c8380cd3f6ad7a475b91b28beea97318378af96e7907377c6261c1b0af7234b3590b0167e1eeb8b39f79de5c86ad
SSDEEP

6144:5Yba2/KMiCQy4bwSjQzL9ois436xMhAOjb74g/SiHQeMbbwbbbyGA3Lp:5x2SMiu4Ms436xMhNbWKMbbwbbby3t

Score

10^/10

Family

redline

Botnet

tuco

77.91.124.82:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

k8303888.exe

description pid process target process

PID 2884 set thread context of 1332 2884 k8303888.exe AppLaunch.exe

description	pid	process	target process
PID 2884 set thread context of 1332	2884	k8303888.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

k8303888.exe

description	pid	process	target process
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 2084	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe
PID 2884 wrote to memory of 1332	2884	k8303888.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1332

memory/1332-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1332-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1332-10-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1332-11-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/1332-12-0x0000000000830000-0x0000000000870000-memory.dmp

Filesize
256KB

Download
memory/1332-13-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1332-14-0x0000000000830000-0x0000000000870000-memory.dmp

Filesize
256KB

Download