redline | 345eec7fa7500089f3ad591521ffc2288b38d8a544f0af4a27a84f3197ee696a

Analysis

max time kernel
139s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 14:36

Target

e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe
Size

313KB
MD5

f733785f9d088490b784d4dc5584ebfb
SHA1

6c073d4208fee7cc88a235a3759b586889b91adf
SHA256

e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59
SHA512

43589b18333b0edcd6e300577f86de685058df5533bcbfdd3e30497aa76176008125fbd28deecaca5e6132c42cc5c0a583c34497f40dbe4ea577333eaebab899
SSDEEP

3072:kA05OJdM+K9F3OFq70W09SIg8Ikn2YSxx1m6MRqfjDv/YUeqiOL2bBOE:sma9Y40r8IIDxx9MRqfjD4aL

Score

10^/10

Family

redline

Botnet

@oni912

45.15.156.209:40481

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3116-1-0x0000000000E40000-0x0000000000E94000-memory.dmp	family_redline

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1832	3116	WerFault.exe	e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe
324	3116	WerFault.exe	e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe

description	pid	process	target process
PID 3116 wrote to memory of 324	3116	e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe	WerFault.exe
PID 3116 wrote to memory of 324	3116	e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe	WerFault.exe
PID 3116 wrote to memory of 324	3116	e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe
"C:\Users\Admin\AppData\Local\Temp\e7216d8b7084c0c36d90aefaf30bb7b6d10ae2ecae700889d459ed5ab1b26a59.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 800
2⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 800
2⤵
- Program crash
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3116 -ip 3116
1⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2788

memory/3116-0-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3116-1-0x0000000000E40000-0x0000000000E94000-memory.dmp

Filesize
336KB

Download
memory/3116-2-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download