redline | e93e1bc916a1c530997476aa46c20e09954403519d49063aecb3bd7cf1b3d015

Analysis

max time kernel
127s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 04:30

Target

NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe
Size

311KB
MD5

fe6aa6b62ec619150b2b02d0bbf412d0
SHA1

00c9387661e70c14a9864bf924a4a337b8659494
SHA256

e93e1bc916a1c530997476aa46c20e09954403519d49063aecb3bd7cf1b3d015
SHA512

c87a62455255f33711ebfd782da86ebe767569a78e1fc27d26b56561e2a24f50c9a2e4323284603a6446d706f2eecd227503e0ff6d2fce2887a81b348c2ae440
SSDEEP

3072:zjlomiD4ecS37wnKHZtRjHAUUpP+/JNYnr9gg24Fic0STdy9KPr7gkCWaHR+i6Z/:P3AE2wKDWneR2H0STdqIGjbc

Score

10^/10

Family

redline

Botnet

taiga

5.42.92.51:19057

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4996-0-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3824 set thread context of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99
PID 3824 wrote to memory of 4996	3824	NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fe6aa6b62ec619150b2b02d0bbf412d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4996

memory/4996-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-1-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4996-2-0x0000000007850000-0x0000000007DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4996-3-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/4996-4-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download
memory/4996-5-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/4996-6-0x0000000008420000-0x0000000008A38000-memory.dmp

Filesize
6.1MB

Download
memory/4996-7-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/4996-8-0x0000000007600000-0x0000000007612000-memory.dmp

Filesize
72KB

Download
memory/4996-9-0x0000000007660000-0x000000000769C000-memory.dmp

Filesize
240KB

Download
memory/4996-10-0x00000000076C0000-0x000000000770C000-memory.dmp

Filesize
304KB

Download
memory/4996-11-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4996-12-0x0000000007550000-0x0000000007560000-memory.dmp

Filesize
64KB

Download