redline | caf195897395918e07ddc9ef0e889c9f33545be81a4ef86c647308c07ba83841

Analysis

max time kernel
161s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2023 13:38

Target

NEAS.8530c2a66494217c850c08e82c827830.exe
Size

1.2MB
MD5

8530c2a66494217c850c08e82c827830
SHA1

815f733618725c106c57419c7e442886f2feba6f
SHA256

caf195897395918e07ddc9ef0e889c9f33545be81a4ef86c647308c07ba83841
SHA512

3615eb7d3c3d8422d705eb12e2f7770e3e0e0993fdd13374e01164eb4efa4e47b36186d0c33e9f28112d7debdbc7519876a9214071307a4216a3ff0ed86f05a0
SSDEEP

24576:O40IHgLyqx9JyZbaBsDglv9sTpy+S5BwG:TCx9JyZovy4L5BwG

Score

10^/10

Family

redline

Botnet

grome

77.91.124.86:19084

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2312-0-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

NEAS.8530c2a66494217c850c08e82c827830.exe

description pid process target process

PID 4680 set thread context of 2312 4680 NEAS.8530c2a66494217c850c08e82c827830.exe AppLaunch.exe

description	pid	process	target process
PID 4680 set thread context of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

NEAS.8530c2a66494217c850c08e82c827830.exe

description	pid	process	target process
PID 4680 wrote to memory of 5004	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 5004	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 5004	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe
PID 4680 wrote to memory of 2312	4680	NEAS.8530c2a66494217c850c08e82c827830.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2312

memory/2312-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-1-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2312-2-0x0000000007CE0000-0x0000000008284000-memory.dmp

Filesize
5.6MB

Download
memory/2312-3-0x0000000007810000-0x00000000078A2000-memory.dmp

Filesize
584KB

Download
memory/2312-4-0x00000000079C0000-0x00000000079D0000-memory.dmp

Filesize
64KB

Download
memory/2312-5-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/2312-6-0x00000000088B0000-0x0000000008EC8000-memory.dmp

Filesize
6.1MB

Download
memory/2312-7-0x0000000007BD0000-0x0000000007CDA000-memory.dmp

Filesize
1.0MB

Download
memory/2312-8-0x0000000007AC0000-0x0000000007AD2000-memory.dmp

Filesize
72KB

Download
memory/2312-9-0x0000000007B20000-0x0000000007B5C000-memory.dmp

Filesize
240KB

Download
memory/2312-10-0x0000000007B60000-0x0000000007BAC000-memory.dmp

Filesize
304KB

Download
memory/2312-11-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2312-12-0x00000000079C0000-0x00000000079D0000-memory.dmp

Filesize
64KB

Download