redline | a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 20:14

Target

a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe
Size

414KB
MD5

8df2641a982d5c42b1a26aad3c9b88fc
SHA1

c03a470acefdc61412d5b25d57b57eceef898d0d
SHA256

a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51
SHA512

b0205b47364f3f339892bd388b0ceb7c6cca468e04db896e9a5b6371c2039d4167cbbaf4c14f8aedb16a0283b0925e79ead6e4f1993b0f56b3b8378ce6637d13
SSDEEP

6144:NlUnkAlR2SaOmUPvbeAOiTY5kJZXfLPm2vEpy5Us420tfxul:YnkaR2Vke9SXXDPloy5Tufk

Score

10^/10

Family

redline

Botnet

taiga

5.42.92.51:19057

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90
PID 2380 wrote to memory of 2956	2380	a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe	90

C:\Users\Admin\AppData\Local\Temp\a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe
"C:\Users\Admin\AppData\Local\Temp\a8214be6431a029a423403db367166fb218a51c68b08027d204074e4d8aa7b51.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2956

memory/2956-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-1-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2956-2-0x0000000007AE0000-0x0000000008084000-memory.dmp

Filesize
5.6MB

Download
memory/2956-3-0x00000000075D0000-0x0000000007662000-memory.dmp

Filesize
584KB

Download
memory/2956-4-0x00000000075B0000-0x00000000075C0000-memory.dmp

Filesize
64KB

Download
memory/2956-5-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/2956-6-0x00000000086B0000-0x0000000008CC8000-memory.dmp

Filesize
6.1MB

Download
memory/2956-7-0x0000000007960000-0x0000000007A6A000-memory.dmp

Filesize
1.0MB

Download
memory/2956-8-0x00000000077D0000-0x00000000077E2000-memory.dmp

Filesize
72KB

Download
memory/2956-9-0x0000000007850000-0x000000000788C000-memory.dmp

Filesize
240KB

Download
memory/2956-10-0x0000000007890000-0x00000000078DC000-memory.dmp

Filesize
304KB

Download
memory/2956-11-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/2956-12-0x00000000075B0000-0x00000000075C0000-memory.dmp

Filesize
64KB

Download