redline | 1572-89-0x00000000767A0000-0x00000000768B0000-memory[.]dmp

Sharing

Copy URL Twitter E-mail

General

Target

1572-89-0x00000000767A0000-0x00000000768B0000-memory.dmp
Size

1.1MB
MD5

5763cea6e000b868d85d4e3f2681fcd6
SHA1

cf3ca39f8668fa17ef043ef33c31f7585f0e2c65
SHA256

cfc1eca75ce093f0200f0dd0419239e614f8e431cd19d7fd992bb381eaa706f1
SHA512

fa518456d8de96423fabf308b6bfe5aba2829e509791f8886c8d7a44f39d9a3b70ef94ced38121ecb9a7704f4060a6c0a4cfdd2cdb826833e360aa73f747bf29
SSDEEP

24576:nSQLX25cuDjLygceAEj8MZwHG19I0uYd1U:nSQr2RLyQ59S

Score

10^/10

redline

Malware Config

Signatures

Redline family
redline

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1572-89-0x00000000767A0000-0x00000000768B0000-memory.dmp

Files

1572-89-0x00000000767A0000-0x00000000768B0000-memory.dmp
.dll windows:6 windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

AcquireSRWLockExclusive
AcquireSRWLockShared
ActivateActCtx
AddAtomA
AddAtomW
AddConsoleAliasA
AddConsoleAliasW
AddDllDirectory
AddIntegrityLabelToBoundaryDescriptor
AddLocalAlternateComputerNameA
AddLocalAlternateComputerNameW
AddRefActCtx
AddSIDToBoundaryDescriptor
AddSecureMemoryCacheCallback
AddVectoredContinueHandler
AddVectoredExceptionHandler
AdjustCalendarDate
AllocConsole
AllocateUserPhysicalPages
AllocateUserPhysicalPagesNuma
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
AreFileApisANSI
AssignProcessToJobObject
AttachConsole
BackupRead
BackupSeek
BackupWrite
BaseCheckAppcompatCache
BaseCheckAppcompatCacheEx
BaseCheckRunApp
BaseCleanupAppcompatCacheSupport
BaseDllReadWriteIniFile
BaseDumpAppcompatCache
BaseFlushAppcompatCache
BaseFormatObjectAttributes
BaseFormatTimeOut
BaseGenerateAppCompatData
BaseGetNamedObjectDirectory
BaseInitAppcompatCacheSupport
BaseIsAppcompatInfrastructureDisabled
BaseQueryModuleData
BaseSetLastNTError
BaseThreadInitThunk
BaseUpdateAppcompatCache
BaseVerifyUnicodeString
Basep8BitStringToDynamicUnicodeString
BasepAllocateActivationContextActivationBlock
BasepAnsiStringToDynamicUnicodeString
BasepCheckAppCompat
BasepCheckBadapp
BasepCheckWinSaferRestrictions
BasepFreeActivationContextActivationBlock
BasepFreeAppCompatData
BasepMapModuleHandle
Beep
BeginUpdateResourceA
BeginUpdateResourceW
BindIoCompletionCallback
BuildCommDCBA
BuildCommDCBAndTimeoutsA
BuildCommDCBAndTimeoutsW
BuildCommDCBW
CallNamedPipeA
CallNamedPipeW
CallbackMayRunLong
CancelDeviceWakeupRequest
CancelIo
CancelIoEx
CancelSynchronousIo
CancelThreadpoolIo
CancelTimerQueueTimer
CancelWaitableTimer
ChangeTimerQueueTimer
CheckElevation
CheckElevationEnabled
CheckForReadOnlyResource
CheckNameLegalDOS8Dot3A
CheckNameLegalDOS8Dot3W
CheckRemoteDebuggerPresent
ClearCommBreak
ClearCommError
CloseConsoleHandle
CloseHandle
ClosePrivateNamespace
CloseProfileUserMapping
CloseThreadpool
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolIo
CloseThreadpoolTimer
CloseThreadpoolWait
CloseThreadpoolWork
CmdBatNotification
CommConfigDialogA
CommConfigDialogW
CompareCalendarDates
CompareFileTime
CompareStringA
CompareStringEx
CompareStringOrdinal
CompareStringW
ConnectNamedPipe
ConsoleMenuControl
ContinueDebugEvent
ConvertCalDateTimeToSystemTime
ConvertDefaultLocale
ConvertFiberToThread
ConvertNLSDayOfWeekToWin32DayOfWeek
ConvertSystemTimeToCalDateTime
ConvertThreadToFiber
ConvertThreadToFiberEx
CopyContext
CopyFileA
CopyFileExA
CopyFileExW
CopyFileTransactedA
CopyFileTransactedW
CopyFileW
CopyLZFile
CreateActCtxA
CreateActCtxW
CreateBoundaryDescriptorA
CreateBoundaryDescriptorW
CreateConsoleScreenBuffer
CreateDirectoryA
CreateDirectoryExA
CreateDirectoryExW
CreateDirectoryTransactedA
CreateDirectoryTransactedW
CreateDirectoryW
CreateEventA
CreateEventExA
CreateEventExW
CreateEventW
CreateFiber
CreateFiberEx
CreateFileA
CreateFileMappingA
CreateFileMappingNumaA
CreateFileMappingNumaW
CreateFileMappingW
CreateFileTransactedA
CreateFileTransactedW
CreateFileW
CreateHardLinkA
CreateHardLinkTransactedA
CreateHardLinkTransactedW
CreateHardLinkW
CreateIoCompletionPort
CreateJobObjectA
CreateJobObjectW
CreateJobSet
CreateMailslotA
CreateMailslotW
CreateMemoryResourceNotification
CreateMutexA
CreateMutexExA
CreateMutexExW
CreateMutexW
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
CreatePrivateNamespaceA
CreatePrivateNamespaceW
CreateProcessA
CreateProcessAsUserW
CreateProcessInternalA
CreateProcessInternalW
CreateProcessW
CreateRemoteThread
CreateRemoteThreadEx
CreateSemaphoreA
CreateSemaphoreExA
CreateSemaphoreExW
CreateSemaphoreW
CreateSocketHandle
CreateSymbolicLinkA
CreateSymbolicLinkTransactedA
CreateSymbolicLinkTransactedW
CreateSymbolicLinkW
CreateTapePartition
CreateThread
CreateThreadpool
CreateThreadpoolCleanupGroup
CreateThreadpoolIo
CreateThreadpoolTimer
CreateThreadpoolWait
CreateThreadpoolWork
CreateTimerQueue
CreateTimerQueueTimer
CreateToolhelp32Snapshot
CreateWaitableTimerA
CreateWaitableTimerExA
CreateWaitableTimerExW
CreateWaitableTimerW
CtrlRoutine
DeactivateActCtx
DebugActiveProcess
DebugActiveProcessStop
DebugBreak
DebugBreakProcess
DebugSetProcessKillOnExiE��
�
��|&�U��]
�J��|V�u�W�}��_3�^��
��_3�^��
3��E�9Et�u�M��E��HɉM��H�L �V�u�M��
�E��HɉM��H�L �V�u�M��
�H�L �V�u�M��
�b��M��^��
��j Yj ��}��Yj ��Y�u܋��r0�H0�p0�J0�z(�H(�p,�x(�z,�x,�r,�J(�r4�H4�p4_�J4^��
��Yj ��Y�u܋��r0�H0�p0�J0�z(�H(�p,�x(�z,�x,�r,�J(�r4�H4�p4_�J4^��
�H0�p0�J0�z(�H(�p,�x(�z,�x,�r,�J(�r4�H4�p4_�J4^��
z,�x,�r,�J(�r4�H4�p4_�J4^��
r4�H4�p4_�J4^��
�M��]�
V��3�9^vW3��F�P�E�P��C��8;^r�_^[]�
�E�P��C��8;^r�_^[]�
[]�
+��E��O
�u��9��_��E�F�~�^�E�
�F�~�^�E�
�
��
M;��"�
*�
��
�tQP�O
_^��
��
��
E��
�6�

�3��ˉE;�t,��U�ʃ��1�
��1�
��9�C��E;�u׋E��
��
U��U��M�9U��
QP�U��
�E��E��e
;��

j0_;��
;��
�9�w��;�rP��9wK,0 ؋E�E�E�;��y��E;E��U�
�E�E�;��y��E;E��U�
�U�
��3��M��y��[_��^��
��F�)@
�W��ar ��f�I��
�
�O��ar ��f�A��

�
A��A�M��_^��3�@À}�
�3�@À}�
�E�
��K �s4�;x��t�[��E�P��x��t��u��4
��E�P��x��t��u��4
��4
u�K$�u� ��U��Qh��t�EP�EP��]�
�Qh��t�EP�EP��]�
�VW�M ��u��u��_^]�
��_^]�
��9u��%Z
CP�E$P��E$;��@��o��PV��c��N;u(�,��F�P��G��كK �s0�;x��t��{lWVj��h��K
�@��o��PV��c��N;u(�,��F�P��G��كK �s0�;x��t��{lWVj��h��K
��N;u(�,��F�P��G��كK �s0�;x��t��{lWVj��h��K
��F�P��G��كK �s0�;x��t��{lWVj��h��K
�s0�;x��t��{lWVj��h��K
��{lWVj��h��K
�h��K
�;
��<
3ҍA�Q�Q��_^9��
��
�A��
u�8]�`
�E��
��
�E�
.�I�Eu �E�@��j _��0��If��u��t�.I�Eu �E�@��j _��0��If��u��t�.I�Eu�E�@��j _��0��If��u��E+�PAQ�v��)e��e�
�@��j _��0��If��u��t�.I�Eu �E�@��j _��0��If��u��t�.I�Eu�E�@��j _��0��If��u��E+�PAQ�v��)e��e�
�0��If��u��t�.I�Eu �E�@��j _��0��If��u��t�.I�Eu�E�@��j _��0��If��u��E+�PAQ�v��)e��e�
�u��t�.I�Eu �E�@��j _��0��If��u��t�.I�Eu�E�@��j _��0��If��u��E+�PAQ�v��)e��e�
�@��j _��0��If��u��t�.I�Eu�E�@��j _��0��If��u��E+�PAQ�v��)e��e�
�u��t�.I�Eu�E�@��j _��0��If��u��E+�PAQ�v��)e��e�
�@��j _��0��If��u��E+�PAQ�v��)e��e�
��E+�PAQ�v��)e��e�
E�^��
�E��
3��E��
��
��
t�E��
^��
e\ntos\rtl\ucsdecoders.cpp
�
d:\iso_whid\x86fre\base\isolation\isolib_parser.h
fre\base\isolation\isolib_parser.h
n\isolib_parser.h
\rtl\lutf8_string.cpp
pp
��
�
��QP��|3��
ȉ]��]�3��E�]��8]�u>�E؃�.t~��*�Hb
��8]�u>�E؃�.t~��*�Hb
��*�Hb
�E�+��mb
�8]u�e��E�M��M��H�E�M��3�^_[��
��M��H�E�M��3�^_[��
�+��HtHu f�u�8]u�e��3��E��E�u��f�u�8]u��e��㐐��
f�u�8]u�e��3��E��E�u��f�u�8]u��e��㐐��
��E�u��f�u�8]u��e��㐐��
8]u��e��㐐��
��
X�U��4�US3�VW�E��
䨄�t�]܉]؉]��]��]��]��]�;�t��u�� J�
;�t��u�� J�
��J�
��Z�
�V�
�j��;��C�
C�
E�P�E�P�uj�
�z�
�EԋU�3��E�<��
<��
]��
��
0;��
�3ۍE�PV�g��;��
E� �
ԋ{�M��}
}
�
��U��
W�֋��U��ڊ
�ڊ
t�u؍}̥��}�u̥��E܉E؉E��3��M��Ĝ��_��^[��
E؉E��3��M��Ĝ��_��^[��
Ĝ��_��^[��
��SVW��3��}��;��$�
A�E��
��_^[��U��VW�}��E��
��E��
;
W�u��X�E�`ȉt�M��E��
��]̉]Љ]ԉ]؉]Ȉ]��E�
��;��V�M�3��E�]��8]��O��E؃�.t4��*�r^
��O��E؃�.t4��*�r^
t4��*�r^
��^
�0��^

�]��r��.
�.
8Z
�Rh��t�EPQ��]�
��U�MVW��u��_^]�
��_^]�
�t��'
��u�1��
��l
E��
��n
j��;ƉE�|�u��E�^��U��(�,�t3ŉE��e�
�t3ŉE��e�
u�E��E��E�P�u�E�
�u�E�
�|�֍M��i��|3��M�3�^�V#��
��M�3�^�V#��
�
��N�K
�K
8��N]
�U]
i��$ ��[
��M�Qh��thDȉtP��;��9}��E�
��;��9}��E�
��E�
�u�9;��C�8��M�Qh��th�ωtP��;��9}��q��E�
��M�Qh��th�ωtP��;��9}��q��E�
ωtP��;��9}��q��E�
�q��E�
�ωtc
�]VW3�3�3��E��
�Љt;�t�;�M;�t�9�E��
�9�E��
�
��
��t�
�3҅��;��
�
�E��t�0�E��t�8�e�
^[��
\x86fre\base\ntos\rtl\ucsencoders.cpp
s.cpp
��3҉��E�
��E�
��E��E��7
��E��7
��7
�3��
��[��E��0��
�
�q
��=D%�t
�7
P��YZ��E��1V�p��g�t�֋��E��8
��1V�p��g�t�֋��E��8
��8
��7
�Q��Q�0h
�g�t�V��S
��3�f9�>�7
��3�f9�>�7
t��荆��'�7
��tPj��t��Y
��Y
��[��@
,�tPj��B��
��g
��7
Pj��9�7
tPj��ޅ��v�7
�\��tPj��Ņ��7
7
��3��3��tPj��蓅��؏7
�蓅��؏7
�z��2�
PW�pf�t��͏7
�͏7
f��jP��N��PS��g�t�V��
P��N��PS��g�t�V��
�g�t�V��
f9��7
��u��W�hf�tf��jP�ƃ�P�3�NS��g�t�V��x[��jP��q��g�t�֋��x=��r��7
��jP�ƃ�P�3�NS��g�t�V��x[��jP��q��g�t�֋��x=��r��7
P�3�NS��g�t�V��x[��jP��q��g�t�֋��x=��r��7
x[��jP��q��g�t�֋��x=��r��7
�g�t�֋��x=��r��7
�r��7
7
��
�x3��7
��7
��E��譯��M��螯��U��Q�@%�tSV��3�W�E�3��8��s��M�WSj��݃��z#
M��螯��U��Q�@%�tSV��3�W�E�3��8��s��M�WSj��݃��z#
tSV��3�W�E�3��8��s��M�WSj��݃��z#
M�WSj��݃��z#
�C�E��8��7
�
Չt��a
��}�
_whid\x86fre\base\isolation\tsh_tshandlep.h
base\isolation\tsh_tshandlep.h
tshandlep.h
�e�
��t��t�'
�m

�m
S��P�J
Q3с��

��PX
��F�G��_^]�
�u�u�u��
3��W
�� SW��U�ً��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ�� ǋ��ǋ��3��3��_[�7W
�� SW��U�ً��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ�� ǋ��ǋ��3��3��_[�7W
� �� SW��U�ً��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ�� ǋ��ǋ��3��3��_[�7W
��SW��U�ً��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ�� ǋ��ǋ��3��3��_[�7W
��U�ً��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ�� ǋ��ǋ��3��3��_[�7W
��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ��ǋ�� ǋ��ǋ��3��3��_[�7W

Sections

.text
Size: 832KB - Virtual size: 768KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 64KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 64KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

.text Size: 832KB - Virtual size: 768KB

.data Size: 64KB - Virtual size: 4KB

.rsrc Size: 64KB - Virtual size: 1KB

.reloc Size: 64KB - Virtual size: 43KB

.text
Size: 832KB - Virtual size: 768KB

.data
Size: 64KB - Virtual size: 4KB

.rsrc
Size: 64KB - Virtual size: 1KB

.reloc
Size: 64KB - Virtual size: 43KB