redline | cd76a354a02015517a2b50d75aa3b68dd0e3164adbb040f6317251016bc62b21

Resubmissions

20-03-2024 23:00

240320-2y4btadd85 10

15-03-2024 20:34

240315-zcmqtscf84 10

Analysis

max time kernel
596s
max time network
603s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe
Size

2.9MB
MD5

41b2380b454cfa680b4d2b30440e8109
SHA1

f767fbbf9ddeb69c69d0cde4927957647e8a019d
SHA256

073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456
SHA512

a2600fd86158ef8481c18acf1a74c961058b4fbf1e9461294eb39475e634fbbcdea1f60b28cbc8669cd7be17f6406743834b137f44169c3a455f7551d7164421
SSDEEP

12288:opUCj2KN8HnbttOCHfVNWDO2wF6edg0ASy0EPmLUd0btZcodN2BOjDyhC:opUCjobH9kDPww0QSyk0FhC

Score

10^/10

redline infostealer

Malware Config

Extracted

Family

redline

168.119.228.126:11552

Attributes

auth_value
ee2d0ef2a4d0cbee5b6303070e44cb8a

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral7/memory/2864-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral7/memory/2864-8-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral7/memory/2864-10-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral7/memory/2864-12-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral7/memory/2864-14-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30
PID 2324 wrote to memory of 2864	2324	073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe	30

C:\Users\Admin\AppData\Local\Temp\073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe
"C:\Users\Admin\AppData\Local\Temp\073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2324-0-0x0000000000140000-0x0000000000422000-memory.dmp

Filesize
2.9MB

Download
memory/2324-1-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-17-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2864-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-15-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2864-16-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/2864-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2864-18-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2864-19-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download