redline | e56d4a833792fc1a4f97f54029a422e1cdf0ff0734963a0a48667f6e03563cbb

Analysis

max time kernel
291s
max time network
303s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 06:50

Target

j1132617.exe
Size

399KB
MD5

3d4b5022c6474f46484f0d8aed6363ef
SHA1

8e4a74cfb8462b96488e5297b0cb160c650cc832
SHA256

e56d4a833792fc1a4f97f54029a422e1cdf0ff0734963a0a48667f6e03563cbb
SHA512

4e8c762f1f7e34863991659de971920a8fce9c3f313c5ec66ed00b1158a8aa858dd7240b521c164e6fb6921f850ff18d16bb6ff1b3d325022381fe516b768f9b
SSDEEP

6144:CJbjEq2jicP5iOo2T8VrSd/sUAOEclV0HRa0CJRC2HtYfW1Sa:CJbrqiG59ouKc7GCJw2Ht8W1Sa

Score

10^/10

Family

redline

Botnet

prets

77.91.124.82:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 1700	2436	j1132617.exe	29

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29
PID 2436 wrote to memory of 1700	2436	j1132617.exe	29

C:\Users\Admin\AppData\Local\Temp\j1132617.exe
"C:\Users\Admin\AppData\Local\Temp\j1132617.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1700

memory/1700-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1700-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1700-10-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-11-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1700-12-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/1700-13-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-14-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download