redline | e791a42ab7baf1299bbc3bc6de9c72ca65cb9464a200eee17e530fa3b272f680

Analysis

max time kernel
292s
max time network
300s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2023 06:52

Target

j0811965.exe
Size

405KB
MD5

95882a04cf43e9e5881417bc8e0ec5b7
SHA1

02788585baeecb70d2a7a5f8af72511044aa8b8f
SHA256

e791a42ab7baf1299bbc3bc6de9c72ca65cb9464a200eee17e530fa3b272f680
SHA512

0e652afd5b5511dd20e94aee91be3632bbaab1dee2689871148cdbf84e060359195ffa7f86ea2b0d91d6cdf84035211272fcedaa41173029477689f7327e90d4
SSDEEP

6144:F3vJm09zORs+z/TMify9DAOooQRfF45C4NHe7Lcm8/:Ffw09CK5NfMfF45L+7LX8/

Score

10^/10

Family

redline

Botnet

monik

77.91.124.82:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

j0811965.exe

description pid process target process

PID 528 set thread context of 1420 528 j0811965.exe AppLaunch.exe

description	pid	process	target process
PID 528 set thread context of 1420	528	j0811965.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

j0811965.exe

description	pid	process	target process
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe
PID 528 wrote to memory of 1420	528	j0811965.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\j0811965.exe
"C:\Users\Admin\AppData\Local\Temp\j0811965.exe"
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
PID:1420

memory/1420-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1420-4-0x00000000733B0000-0x0000000073A9E000-memory.dmp

Filesize
6MB

Download
memory/1420-5-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/1420-6-0x000000000EA20000-0x000000000F026000-memory.dmp

Filesize
6MB

Download
memory/1420-7-0x000000000E560000-0x000000000E66A000-memory.dmp

Filesize
1MB

Download
memory/1420-8-0x0000000008F80000-0x0000000008F90000-memory.dmp

Filesize
64KB

Download
memory/1420-9-0x000000000E490000-0x000000000E4A2000-memory.dmp

Filesize
72KB

Download
memory/1420-10-0x000000000E4F0000-0x000000000E52E000-memory.dmp

Filesize
248KB

Download
memory/1420-11-0x000000000E670000-0x000000000E6BB000-memory.dmp

Filesize
300KB

Download
memory/1420-16-0x00000000733B0000-0x0000000073A9E000-memory.dmp

Filesize
6MB

Download
memory/1420-17-0x0000000008F80000-0x0000000008F90000-memory.dmp

Filesize
64KB

Download