redline | a09a8f63ea1e5aa0da9567588c9a9f6b8c5f587a24ce603612b9aebc31637f66

Analysis

max time kernel
290s
max time network
313s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2023 07:07

Target

j3160085.exe
Size

390KB
MD5

4b307137183cd33be6ac81af694721ba
SHA1

ba1c9d62e7e97447c9c140e0df9574b1f9705a78
SHA256

a09a8f63ea1e5aa0da9567588c9a9f6b8c5f587a24ce603612b9aebc31637f66
SHA512

e5e3d8203f8801f698a1006f7976041219efb0269b63e5f714041488a3a302adcce5c22f221f2b5e349cdec2d4bf1e2520ead1b9606f0ace44c51c6875b1a3d8
SSDEEP

6144:YvXFo/N5ExgFbNOUAHEHIXbLvZAOixYPdgz0Tjxdy8MVs0BC+:IwDExgFY5vx0xudG0/q8Is0BC+

Score

10^/10

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

j3160085.exe

description pid process target process

PID 4348 set thread context of 1840 4348 j3160085.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4748 4348 WerFault.exe j3160085.exe

description	pid	process	target process
PID 4348 set thread context of 1840	4348	j3160085.exe	AppLaunch.exe

pid	pid_target	process	target process
4748	4348	WerFault.exe	j3160085.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

j3160085.exe

description	pid	process	target process
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe
PID 4348 wrote to memory of 1840	4348	j3160085.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\j3160085.exe
"C:\Users\Admin\AppData\Local\Temp\j3160085.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 252
  2⤵
  - Program crash
  PID:4748

memory/1840-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1840-4-0x0000000073760000-0x0000000073E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-5-0x00000000010F0000-0x00000000010F6000-memory.dmp

Filesize
24KB

Download
memory/1840-6-0x0000000009650000-0x0000000009C56000-memory.dmp

Filesize
6.0MB

Download
memory/1840-7-0x0000000009150000-0x000000000925A000-memory.dmp

Filesize
1.0MB

Download
memory/1840-9-0x0000000008F30000-0x0000000008F40000-memory.dmp

Filesize
64KB

Download
memory/1840-8-0x0000000006A40000-0x0000000006A52000-memory.dmp

Filesize
72KB

Download
memory/1840-10-0x0000000008EF0000-0x0000000008F2E000-memory.dmp

Filesize
248KB

Download
memory/1840-11-0x0000000009040000-0x000000000908B000-memory.dmp

Filesize
300KB

Download
memory/1840-16-0x0000000073760000-0x0000000073E4E000-memory.dmp

Filesize
6.9MB

Download
memory/1840-17-0x0000000008F30000-0x0000000008F40000-memory.dmp

Filesize
64KB

Download