redline | 3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 09:27

Target

3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe
Size

491KB
MD5

c9ad12873e4b3f8ae042800ab6ca01b5
SHA1

4a687ce2dddd416b7da22724c312588d737b36b1
SHA256

3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867
SHA512

6b4e5a2b296d00bc2179616aaa4a040cc1938872ea9b309683226fe8979c39e6976d3c9980b1983378f081cfd76ce6af37e3b9196fbd05c584caf1e0ddf3e016
SSDEEP

12288:Z0fa1MGNMpySMcLnZ+LdfdyQPT7tnirfoCe:ka1zNM3zZIddB7tyQR

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000100000-0x000000000017F000-memory.dmp	family_redline

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1288 2168 WerFault.exe 3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe

pid	pid_target	process	target process
1288	2168	WerFault.exe	3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe

description	pid	process	target process
PID 2168 wrote to memory of 1288	2168	3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe	WerFault.exe
PID 2168 wrote to memory of 1288	2168	3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe	WerFault.exe
PID 2168 wrote to memory of 1288	2168	3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe	WerFault.exe
PID 2168 wrote to memory of 1288	2168	3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe
"C:\Users\Admin\AppData\Local\Temp\3eb812720aa52ff562da685c76976d20a569c2f0a929bde19558bdd4241e9867.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 48
2⤵
- Program crash
PID:1288

memory/2168-0-0x0000000000100000-0x000000000017F000-memory.dmp

Filesize
508KB

Download