redline | 706224d01959812281290adc2f43521e5d38d0c3a556b381b8cbac2c2aa90e82

Analysis

max time kernel
181s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 17:46

Target

file.exe
Size

396KB
MD5

fa15aa45d6e71de5927a75d60bd70f7b
SHA1

e8bafb47eb22cc18d7695625da0937ac3c2d9036
SHA256

706224d01959812281290adc2f43521e5d38d0c3a556b381b8cbac2c2aa90e82
SHA512

412cddc921e1d0402409c82786404df81078bea2af48157500d3b2946b51acfb79a8b29136f9ba64d4e3c0b69d9f7c964e57cbbf849c79c7f288f4603f369e4c
SSDEEP

6144:BLErViSWAs3WHexAVklAOaF2VaAg6U6J7k8edK/EGoPGCc:BL0iSWLT0+K6U60dK/EXGCc

Score

10^/10

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

146.59.10.173:45035

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 3956	2320	file.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3516	2320	WerFault.exe	86

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1868	2320	file.exe	87
PID 2320 wrote to memory of 1868	2320	file.exe	87
PID 2320 wrote to memory of 1868	2320	file.exe	87
PID 2320 wrote to memory of 4084	2320	file.exe	88
PID 2320 wrote to memory of 4084	2320	file.exe	88
PID 2320 wrote to memory of 4084	2320	file.exe	88
PID 2320 wrote to memory of 4244	2320	file.exe	89
PID 2320 wrote to memory of 4244	2320	file.exe	89
PID 2320 wrote to memory of 4244	2320	file.exe	89
PID 2320 wrote to memory of 5072	2320	file.exe	90
PID 2320 wrote to memory of 5072	2320	file.exe	90
PID 2320 wrote to memory of 5072	2320	file.exe	90
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91
PID 2320 wrote to memory of 3956	2320	file.exe	91

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 320
  2⤵
  - Program crash
  PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2320 -ip 2320
1⤵
PID:3792

memory/3956-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3956-1-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3956-2-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

Filesize
24KB

Download
memory/3956-3-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/3956-4-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/3956-6-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/3956-5-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/3956-7-0x00000000052D0000-0x000000000530C000-memory.dmp

Filesize
240KB

Download
memory/3956-8-0x0000000005310000-0x000000000535C000-memory.dmp

Filesize
304KB

Download
memory/3956-9-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3956-10-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download