redline | a60c4b7d70eddc6161f776aa1310a78fe723cf2d6c3edea9f96707212fbf7eab

Analysis

max time kernel
297s
max time network
302s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-09-2023 05:46

Target

j4816313.exe
Size

707KB
MD5

79ad70d7c12f36729cf52971d5c4ab35
SHA1

e22d8d72f9c2d6a7b54742d3b53485f8443642e1
SHA256

a60c4b7d70eddc6161f776aa1310a78fe723cf2d6c3edea9f96707212fbf7eab
SHA512

f53f226a8b6a31bd6c55eeeff7669af86acddb86bcadcab9c7feecac96324d7e00eddea3e45a4d5113e8c747dc290d2357068178d0e68f6e30ac1ccd03ee9147
SSDEEP

12288:a2sZ4qc4QgqQ3Tr4uVQfJkusQzqO01TrNzPRHQ:a2sZ4cQgqQ3kVm1TJzpw

Score

10^/10

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 3056	1720	j4816313.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	1720	WerFault.exe	27

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 3056	1720	j4816313.exe	29
PID 1720 wrote to memory of 2636	1720	j4816313.exe	30
PID 1720 wrote to memory of 2636	1720	j4816313.exe	30
PID 1720 wrote to memory of 2636	1720	j4816313.exe	30
PID 1720 wrote to memory of 2636	1720	j4816313.exe	30

C:\Users\Admin\AppData\Local\Temp\j4816313.exe
"C:\Users\Admin\AppData\Local\Temp\j4816313.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 92
  2⤵
  - Program crash
  PID:2636

memory/3056-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-4-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3056-14-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-15-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/3056-16-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/3056-17-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-18-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download