redline | 0d7e8d54e84f7293a10616250294632d70eaa64de200dd7dee30fed4658138a1

Analysis

max time kernel
313s
max time network
328s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
13-10-2023 06:51

Target

4Uz226Cw.exe
Size

1.1MB
MD5

650e45a11550dd45d43af3f2220061c1
SHA1

482d76ed4b45b20007d9d5ba3cedf8617d3be46c
SHA256

0d7e8d54e84f7293a10616250294632d70eaa64de200dd7dee30fed4658138a1
SHA512

6cfb8ebcd54784436a5246589cffbfeb742c7e0e9e489da3922bcb44229375743b7809fb414903cc31b24bf98b58c1d9a18215116623656ccc0f243cd7e8c9cd
SSDEEP

12288:Ztk81c9AvX91QdxGZAQsK3AJNkY8VhT7auVo+i03F95K0XSeLeGom0:rX1c9AvX91QzQX26Y8jSWF95ZSRT

Score

10^/10

Family

redline

Botnet

breha

77.91.124.55:19071

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4732-0-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 4732	768	4Uz226Cw.exe	70

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4140	768	WerFault.exe	68

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70
PID 768 wrote to memory of 4732	768	4Uz226Cw.exe	70

C:\Users\Admin\AppData\Local\Temp\4Uz226Cw.exe
"C:\Users\Admin\AppData\Local\Temp\4Uz226Cw.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 144
  2⤵
  - Program crash
  PID:4140

memory/4732-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-4-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4732-5-0x000000000BF80000-0x000000000C47E000-memory.dmp

Filesize
5.0MB

Download
memory/4732-6-0x000000000BB20000-0x000000000BBB2000-memory.dmp

Filesize
584KB

Download
memory/4732-7-0x000000000BD50000-0x000000000BD60000-memory.dmp

Filesize
64KB

Download
memory/4732-8-0x000000000BB00000-0x000000000BB0A000-memory.dmp

Filesize
40KB

Download
memory/4732-9-0x000000000CA90000-0x000000000D096000-memory.dmp

Filesize
6.0MB

Download
memory/4732-10-0x000000000BE70000-0x000000000BF7A000-memory.dmp

Filesize
1.0MB

Download
memory/4732-11-0x000000000BD60000-0x000000000BD72000-memory.dmp

Filesize
72KB

Download
memory/4732-12-0x000000000BDC0000-0x000000000BDFE000-memory.dmp

Filesize
248KB

Download
memory/4732-13-0x000000000BE00000-0x000000000BE4B000-memory.dmp

Filesize
300KB

Download
memory/4732-18-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4732-19-0x000000000BD50000-0x000000000BD60000-memory.dmp

Filesize
64KB

Download