redline | 31d41864fd9a3baf205276e3b53824910d5f8c77469943d2f16649b9e3c77403

Analysis

max time kernel
295s
max time network
302s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 07:09

Target

j7879897.exe
Size

386KB
MD5

78ef7ad98bd03318c7af3507b2c4fa4a
SHA1

4a11c878e0c26f1ddfede813483b9eb1dcc73abb
SHA256

31d41864fd9a3baf205276e3b53824910d5f8c77469943d2f16649b9e3c77403
SHA512

8acf1c0d71c0234393585ae6224205455e591783aacbe3da136988c0a37e84190d5bb6a1ab668b6c2af3429667dabd5ab576f6302e1d7179ff96376ea301556b
SSDEEP

6144:KB88XN8YyMbUkP9cV4at8I6oDiTBbnIYDn/mxNGSCXgaNyMLn1atZWTRXQ:KlyYyMbUkdath6t+xNGvgaNNLn4eTRXQ

Score

10^/10

Family

redline

Botnet

genda

77.91.124.55:19071

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2312-5-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2312-3-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2312-2-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2312-7-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2312-9-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 2312	1692	j7879897.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	1692	WerFault.exe	14

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2312	1692	j7879897.exe	29
PID 1692 wrote to memory of 2304	1692	j7879897.exe	30
PID 1692 wrote to memory of 2304	1692	j7879897.exe	30
PID 1692 wrote to memory of 2304	1692	j7879897.exe	30
PID 1692 wrote to memory of 2304	1692	j7879897.exe	30

C:\Users\Admin\AppData\Local\Temp\j7879897.exe
"C:\Users\Admin\AppData\Local\Temp\j7879897.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 136
  2⤵
  - Program crash
  PID:2304

memory/2312-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-10-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-11-0x0000000004520000-0x0000000004560000-memory.dmp

Filesize
256KB

Download
memory/2312-12-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-13-0x0000000004520000-0x0000000004560000-memory.dmp

Filesize
256KB

Download