redline | fb787607b521c23bd9f7c9235f383b5a58f0c14b86e9f754c8c06ee0c7c4dacd

Analysis

max time kernel
291s
max time network
298s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 01:34

Target

j1850751.exe
Size

393KB
MD5

515d22083483fb4fb2f5ca6455754723
SHA1

0c44ef2831de6999248610ed5a8869c5ff2b3db7
SHA256

fb787607b521c23bd9f7c9235f383b5a58f0c14b86e9f754c8c06ee0c7c4dacd
SHA512

29fac4649976c0481323577cbadf48eee06655d5bbf87da202ae0c4886d44d2528bd03531fa3e005402e840ee0d54484031a2a8a8f158532af076b0b4489f08a
SSDEEP

6144:facaGEZt20ZSwbz8+Dxe8kVAOYlQsNAH0ZnzInOrj6TZR9YKulbHSY1h8Ey:faFzZtT78Ti2QpP1h8Ey

Score

10^/10

Family

redline

Botnet

monik

77.91.124.82:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 1340	2288	j1850751.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29
PID 2288 wrote to memory of 1340	2288	j1850751.exe	29

C:\Users\Admin\AppData\Local\Temp\j1850751.exe
"C:\Users\Admin\AppData\Local\Temp\j1850751.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1340

memory/1340-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1340-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1340-10-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-11-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1340-12-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1340-13-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-14-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download