redline | 00517c79522072188015874aea7da2b0cc47a2527d8e22bdad86385deec60883

General

Target

4Mr726Sl.exe
Size

459KB
MD5

0dc5b68d3dabacbb1180ff5055d6c760
SHA1

15eefebd9a753cb096932f7696fa9fc774f2523f
SHA256

00517c79522072188015874aea7da2b0cc47a2527d8e22bdad86385deec60883
SHA512

b842ff9b30f394964a1e7888807b45312d6a923fedfe6a4a2d4f26fe84a00de7878fbf6acdfe795dba446d8e5c42c66c0ad4e31193a54171bfe933873e55f0ca
SSDEEP

6144:mfjhibDPM4jjdpvIN8fp7z5BAOCP2Taf+sDa+hUTn36FBJF8uVZlLoe6U0X:mfjaDPjjb/gPY36Lo5e6ZX

Score

10^/10

redline frant infostealer

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2548-2-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2548-3-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2548-5-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2548-7-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/2548-9-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

4Mr726Sl.exe

description pid process target process

PID 3004 set thread context of 2548 3004 4Mr726Sl.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2600 3004 WerFault.exe 4Mr726Sl.exe

description	pid	process	target process
PID 3004 set thread context of 2548	3004	4Mr726Sl.exe	AppLaunch.exe

pid	pid_target	process	target process
2600	3004	WerFault.exe	4Mr726Sl.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

4Mr726Sl.exe

description	pid	process	target process
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2640	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2948	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2548	3004	4Mr726Sl.exe	AppLaunch.exe
PID 3004 wrote to memory of 2600	3004	4Mr726Sl.exe	WerFault.exe
PID 3004 wrote to memory of 2600	3004	4Mr726Sl.exe	WerFault.exe
PID 3004 wrote to memory of 2600	3004	4Mr726Sl.exe	WerFault.exe
PID 3004 wrote to memory of 2600	3004	4Mr726Sl.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4Mr726Sl.exe
"C:\Users\Admin\AppData\Local\Temp\4Mr726Sl.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 156
2⤵
- Program crash
PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2548-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-10-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-11-0x0000000007420000-0x0000000007460000-memory.dmp

Filesize
256KB

Download
memory/2548-12-0x00000000746E0000-0x0000000074DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2548-13-0x0000000007420000-0x0000000007460000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads