redline | 956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 01:56

Target

956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe
Size

417KB
MD5

cd86be81ddf241013be032803530ddeb
SHA1

d84462a3afb848584ed6e871a3ee02c3213c2c08
SHA256

956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd
SHA512

2779ce00849e22ed68dfa653cdb782c650a0126c3603409610e0499652a72ed0d1635bc3619a93642a49635bfde672428809eb032587f9d458aba59bb466fc57
SSDEEP

12288:4+Pv3L1UTL073jVoHfO5jN/maLPXjh6np3:vv3L1UT473jVo/KjEgPzs

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2924-0-0x0000000001190000-0x00000000011FC000-memory.dmp	family_redline

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 2924 WerFault.exe 956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe

pid	pid_target	process	target process
1548	2924	WerFault.exe	956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe

description	pid	process	target process
PID 2924 wrote to memory of 1548	2924	956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe	WerFault.exe
PID 2924 wrote to memory of 1548	2924	956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe	WerFault.exe
PID 2924 wrote to memory of 1548	2924	956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe	WerFault.exe
PID 2924 wrote to memory of 1548	2924	956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe
"C:\Users\Admin\AppData\Local\Temp\956c0fd36c2f21f37b8782caa8e5f337dcf9083994c28080d2f42a3a2cfcdbbd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 92
2⤵
- Program crash
PID:1548

memory/2924-0-0x0000000001190000-0x00000000011FC000-memory.dmp

Filesize
432KB

Download