redline | 5ed69e5d911b8e81da107ec15d7989c44edca8689517970d84354a9db4b98653

Analysis

max time kernel
339s
max time network
354s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 05:07

Target

4se182zn.exe
Size

1.1MB
MD5

a3d9d2941072762f79cd51e9033cfe7c
SHA1

2d8b476eed489e9b412bf1a2fe0737bc975c9f4d
SHA256

5ed69e5d911b8e81da107ec15d7989c44edca8689517970d84354a9db4b98653
SHA512

fdb95bb2023f1502903e20e49690a0ab5d76a2c4db82b28a26f09196255441e8189329d963720e163f2ac65efde1eaa8d57cf53cf5edac48782c60509831d160
SSDEEP

12288:XrB5IZ2nfkPenJ2U7vq/wMR5Sunrv90pxf1xh9uuSVKhAjviJeP3xnto:vg2fkPenJ2U7vqvbnrvwF0gqht

Score

10^/10

Family

redline

Botnet

plost

77.91.124.86:19084

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2128-2-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2128-3-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2128-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2128-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2128-9-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/2128-11-0x0000000007250000-0x0000000007290000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1264 set thread context of 2128	1264	4se182zn.exe	28

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28
PID 1264 wrote to memory of 2128	1264	4se182zn.exe	28

C:\Users\Admin\AppData\Local\Temp\4se182zn.exe
"C:\Users\Admin\AppData\Local\Temp\4se182zn.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2128

memory/2128-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-10-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-11-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download
memory/2128-12-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-13-0x0000000007250000-0x0000000007290000-memory.dmp

Filesize
256KB

Download