redline | 24298788ef815c8db03ed863813543276cd790e69227761dfd14a01d9ac2e899

Analysis

max time kernel
299s
max time network
311s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 05:10

Target

4jS459oE.exe
Size

1.2MB
MD5

c7bdf9f271930e91de49fecd15c74608
SHA1

182e0da7fce4b75460d4a7035386aa072949d3ae
SHA256

24298788ef815c8db03ed863813543276cd790e69227761dfd14a01d9ac2e899
SHA512

b5a7108c4c28fc13c679b61b003a2bd26f3ac07a55e223c3939e1bd6a5aa47f6ab70abca1c64f41d0d478e13656115139543578f5a07639067f20dd5ef4aceba
SSDEEP

24576:XZ22dAiItf+BVHjcIoRj3csPwTSLcqDB:hItf+BVAIwPoTSLcqN

Score

10^/10

Family

redline

Botnet

grome

77.91.124.86:19084

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1740-2-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1740-5-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1740-3-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1740-9-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1740-7-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

4jS459oE.exe

description pid process target process

PID 2200 set thread context of 1740 2200 4jS459oE.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2060 2200 WerFault.exe 4jS459oE.exe

description	pid	process	target process
PID 2200 set thread context of 1740	2200	4jS459oE.exe	AppLaunch.exe

pid	pid_target	process	target process
2060	2200	WerFault.exe	4jS459oE.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4jS459oE.exe

description	pid	process	target process
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2476	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 1740	2200	4jS459oE.exe	AppLaunch.exe
PID 2200 wrote to memory of 2060	2200	4jS459oE.exe	WerFault.exe
PID 2200 wrote to memory of 2060	2200	4jS459oE.exe	WerFault.exe
PID 2200 wrote to memory of 2060	2200	4jS459oE.exe	WerFault.exe
PID 2200 wrote to memory of 2060	2200	4jS459oE.exe	WerFault.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 112
2⤵
- Program crash
PID:2060

memory/1740-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-10-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-11-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download
memory/1740-12-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-13-0x0000000007200000-0x0000000007240000-memory.dmp

Filesize
256KB

Download