redline | 23ef5603149192e189998331bb9b43be07b0f97f258b517984b72bb47c1b2603

Analysis

max time kernel
290s
max time network
308s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2023 07:08

Target

j4022667.exe
Size

390KB
MD5

4d8051a1ad2c9628e90f988da2b32b1b
SHA1

9bbd298aff71e744b6ad5c865becf0e152c68a89
SHA256

23ef5603149192e189998331bb9b43be07b0f97f258b517984b72bb47c1b2603
SHA512

728416fcc46c4a2d3ef4809f1d85d46bb137f2801a12168b61ca38f0e7a35cc12ef49be389943bb75aea971c2c8131a7a95e1b1ee26840dace370eb576105519
SSDEEP

6144:T9XFo/N5ExgFbNOUAHEHIXbLvZAOzz1jk4eUq9+GcVs0BC+:PwDExgFY5vxQ1UqcJs0BC+

Score

10^/10

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

j4022667.exe

description pid process target process

PID 4428 set thread context of 4708 4428 j4022667.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2036 4428 WerFault.exe j4022667.exe

description	pid	process	target process
PID 4428 set thread context of 4708	4428	j4022667.exe	AppLaunch.exe

pid	pid_target	process	target process
2036	4428	WerFault.exe	j4022667.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

j4022667.exe

description	pid	process	target process
PID 4428 wrote to memory of 3108	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 3108	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 3108	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe
PID 4428 wrote to memory of 4708	4428	j4022667.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\j4022667.exe
"C:\Users\Admin\AppData\Local\Temp\j4022667.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 268
  2⤵
  - Program crash
  PID:2036

memory/4708-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4708-4-0x0000000073610000-0x0000000073CFE000-memory.dmp

Filesize
6.9MB

Download
memory/4708-5-0x00000000069D0000-0x00000000069D6000-memory.dmp

Filesize
24KB

Download
memory/4708-6-0x0000000009640000-0x0000000009C46000-memory.dmp

Filesize
6.0MB

Download
memory/4708-7-0x0000000009140000-0x000000000924A000-memory.dmp

Filesize
1.0MB

Download
memory/4708-9-0x0000000008F20000-0x0000000008F30000-memory.dmp

Filesize
64KB

Download
memory/4708-8-0x0000000008E70000-0x0000000008E82000-memory.dmp

Filesize
72KB

Download
memory/4708-10-0x0000000008ED0000-0x0000000008F0E000-memory.dmp

Filesize
248KB

Download
memory/4708-11-0x0000000009030000-0x000000000907B000-memory.dmp

Filesize
300KB

Download
memory/4708-16-0x0000000073610000-0x0000000073CFE000-memory.dmp

Filesize
6.9MB

Download
memory/4708-17-0x0000000008F20000-0x0000000008F30000-memory.dmp

Filesize
64KB

Download