redline | 8cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6

Analysis

max time kernel
290s
max time network
307s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
30-10-2023 06:39

Target

4ME527IC.exe
Size

1.1MB
MD5

c474cb24af058ec68f12ecedb0bd6087
SHA1

ba1cdb7706fc2085052d82a3ed402aa443a164d7
SHA256

8cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6
SHA512

cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa
SSDEEP

12288:x6ygLhqezHWdgAw/26p6LTNzTnMtGbSFFgpulNNj8Bus897tz6Lz2nzTz/J15i:TShqeHWdgAw/26p6XytGbSaOcKt/

Score

10^/10

Family

redline

Botnet

grome

77.91.124.86:19084

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4052-0-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4588 set thread context of 4052	4588	4ME527IC.exe	70

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4864	4588	WerFault.exe	69

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70
PID 4588 wrote to memory of 4052	4588	4ME527IC.exe	70

C:\Users\Admin\AppData\Local\Temp\4ME527IC.exe
"C:\Users\Admin\AppData\Local\Temp\4ME527IC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 304
  2⤵
  - Program crash
  PID:4864

memory/4052-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-4-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-5-0x000000000BB90000-0x000000000C08E000-memory.dmp

Filesize
5.0MB

Download
memory/4052-6-0x000000000B730000-0x000000000B7C2000-memory.dmp

Filesize
584KB

Download
memory/4052-7-0x000000000B700000-0x000000000B710000-memory.dmp

Filesize
64KB

Download
memory/4052-8-0x000000000B6F0000-0x000000000B6FA000-memory.dmp

Filesize
40KB

Download
memory/4052-9-0x000000000C6A0000-0x000000000CCA6000-memory.dmp

Filesize
6.0MB

Download
memory/4052-10-0x000000000BA20000-0x000000000BB2A000-memory.dmp

Filesize
1.0MB

Download
memory/4052-11-0x000000000B950000-0x000000000B962000-memory.dmp

Filesize
72KB

Download
memory/4052-12-0x000000000B9B0000-0x000000000B9EE000-memory.dmp

Filesize
248KB

Download
memory/4052-13-0x000000000BB30000-0x000000000BB7B000-memory.dmp

Filesize
300KB

Download
memory/4052-18-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-19-0x000000000B700000-0x000000000B710000-memory.dmp

Filesize
64KB

Download