redline | 722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a

General

Target

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
Size

18.8MB
MD5

9211e67da80fe6d9f713f6b4aece1d27
SHA1

e271997ff6d723260ac8af44e37ed6a59adaaac2
SHA256

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a
SHA512

65950fbb4a3bc4bb0042502d5c4f363687e228e08fc606770323c2ac6590f241ab65ce53671dbaebaa958239154a33943c4132c9ad67554ae0bba9d4403e07ab
SSDEEP

393216:qynEX19Y0QBTstAfrrKgbKR2/KFZ9F9EIbHmWJqgLT1:qHLYPBTsmPKxvyIi0nX1

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2604-80-0x0000000001340000-0x00000000013BE000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Ujc7eRsXhT.exeR8pX7QSikc.exe

pid process

2248 Ujc7eRsXhT.exe
2604 R8pX7QSikc.exe

pid	process
2248	Ujc7eRsXhT.exe
2604	R8pX7QSikc.exe

Loads dropped DLL 7 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exeWerFault.exe

pid	process
3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exeUjc7eRsXhT.exe

pid	process
3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
2248	Ujc7eRsXhT.exe
2248	Ujc7eRsXhT.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2708 2604 WerFault.exe R8pX7QSikc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exeUjc7eRsXhT.exe

pid process

3056 722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
2248 Ujc7eRsXhT.exe

pid	pid_target	process	target process
2708	2604	WerFault.exe	R8pX7QSikc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exeR8pX7QSikc.exe

description	pid	process	target process
PID 3056 wrote to memory of 2248	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	Ujc7eRsXhT.exe
PID 3056 wrote to memory of 2248	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	Ujc7eRsXhT.exe
PID 3056 wrote to memory of 2248	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	Ujc7eRsXhT.exe
PID 3056 wrote to memory of 2248	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	Ujc7eRsXhT.exe
PID 3056 wrote to memory of 2604	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	R8pX7QSikc.exe
PID 3056 wrote to memory of 2604	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	R8pX7QSikc.exe
PID 3056 wrote to memory of 2604	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	R8pX7QSikc.exe
PID 3056 wrote to memory of 2604	3056	722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe	R8pX7QSikc.exe
PID 2604 wrote to memory of 2708	2604	R8pX7QSikc.exe	WerFault.exe
PID 2604 wrote to memory of 2708	2604	R8pX7QSikc.exe	WerFault.exe
PID 2604 wrote to memory of 2708	2604	R8pX7QSikc.exe	WerFault.exe
PID 2604 wrote to memory of 2708	2604	R8pX7QSikc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe
"C:\Users\Admin\AppData\Local\Temp\722d05592673cad0177a00fd3bf940e9ec656a623f28d42e5867bda0fe58b51a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\Ujc7eRsXhT.exe
  Ujc7eRsXhT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\R8pX7QSikc.exe
  R8pX7QSikc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 92
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\R8pX7QSikc.exe

Filesize
488KB

MD5
e1b561e9880d8d5204f20e281c5dc0a2

SHA1
730a2c9e166cb52202df5eb34352f656a901e2ad

SHA256
fe918ff5ea17f26dc67e9dce88ea0e9c36e7b7daf9b355a0f4d0a5046dd130ba

SHA512
ab139bb16c1faff8296b6c0fc868ecd215a6c2c81a88b79fa3ae174143f013abe1419f2e65580371402fd6c1a0acdfadd2dc455c6e09bd7ec2dc59fe79b0efc7

Download Submit
\Users\Admin\AppData\Local\Temp\Ujc7eRsXhT.exe

Filesize
19.1MB

MD5
912799971263c4b4415c40071c065eeb

SHA1
ae8208e2f745b261788fe0898e9bdf83f8bd2fd8

SHA256
e78bb074a1c8cf551e781ec3e21f454d1a6a6560d966cf844e8abc7ab980360d

SHA512
e076766f7d770fef58bd4e54874e38e95df1c485c6388f240412c5770ea600b05f2ff9f131da8264afa6efbf3782f7a975c6795adac9af134bc12f82de5b14de

Download Submit
memory/2248-70-0x00000000011D0000-0x0000000002F96000-memory.dmp

Filesize
29.8MB

Download
memory/2248-66-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2248-67-0x0000000077980000-0x0000000077981000-memory.dmp

Filesize
4KB

Download
memory/2248-65-0x00000000011D0000-0x0000000002F96000-memory.dmp

Filesize
29.8MB

Download
memory/2248-63-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2248-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2248-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2248-55-0x00000000011D0000-0x0000000002F96000-memory.dmp

Filesize
29.8MB

Download
memory/2604-80-0x0000000001340000-0x00000000013BE000-memory.dmp

Filesize
504KB

Download
memory/3056-29-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3056-44-0x00000000012D0000-0x000000000303A000-memory.dmp

Filesize
29.4MB

Download
memory/3056-21-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3056-24-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3056-26-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/3056-0-0x00000000012D0000-0x000000000303A000-memory.dmp

Filesize
29.4MB

Download
memory/3056-31-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3056-34-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3056-36-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3056-39-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3056-41-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3056-19-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3056-17-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3056-53-0x00000000012D0000-0x000000000303A000-memory.dmp

Filesize
29.4MB

Download
memory/3056-16-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3056-14-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3056-12-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3056-11-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3056-9-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3056-7-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3056-5-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3056-6-0x0000000077980000-0x0000000077981000-memory.dmp

Filesize
4KB

Download
memory/3056-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads