redline | eb104ce924ac2c526c482db13312aa44ad634b3b934de628b5e0d4b2b1d60146

Analysis

max time kernel
290s
max time network
297s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-10-2023 07:08

Target

j0377021.exe
Size

390KB
MD5

5400ef9b599b97241b92c86f3dbd4cfd
SHA1

c1f2456bc1bd87ca2202be79a8e5849e91d99dd1
SHA256

eb104ce924ac2c526c482db13312aa44ad634b3b934de628b5e0d4b2b1d60146
SHA512

c4d72a3063da664b87d7cb94d4a7e43ea62ec541b68e4ba79622292a9d46355d12a7677a08257358e4793187a944595fd164307fcaabfdd311cecbf22933e630
SSDEEP

6144:jhXFo/N5ExgFbNOUAHEHIXbLvZAOSu5rud2lXnr5QfjMrAcVs0BC+:DwDExgFY5vx0uy2lGwrA4s0BC+

Score

10^/10

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

j0377021.exe

description pid process target process

PID 2952 set thread context of 3004 2952 j0377021.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2260 2952 WerFault.exe j0377021.exe

description	pid	process	target process
PID 2952 set thread context of 3004	2952	j0377021.exe	AppLaunch.exe

pid	pid_target	process	target process
2260	2952	WerFault.exe	j0377021.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

j0377021.exe

description	pid	process	target process
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 3004	2952	j0377021.exe	AppLaunch.exe
PID 2952 wrote to memory of 2260	2952	j0377021.exe	WerFault.exe
PID 2952 wrote to memory of 2260	2952	j0377021.exe	WerFault.exe
PID 2952 wrote to memory of 2260	2952	j0377021.exe	WerFault.exe
PID 2952 wrote to memory of 2260	2952	j0377021.exe	WerFault.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 76
2⤵
- Program crash
PID:2260

memory/3004-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-10-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-11-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/3004-12-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/3004-13-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-14-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download