redline | 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 01:30

Target

804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe
Size

469KB
MD5

7fe965830a88092157b8f558a6aa3c3c
SHA1

727a3f4efcd686b67224ab655f438b7878d1ee18
SHA256

804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340
SHA512

f31d76c1236db390975ba9b8ef5212b8b94275cc0e967894cb334d6e24d2e76afc7c3449d515173c732dcfb703b70c82aa0eeb88cbfa56de73bcda49213cc5f6
SSDEEP

6144:dZlB8LBngajQdG5uRWaV7P8psETjdTyK0Qh/wS+dDaUIVVPmKErwNfiQuZx5Wwpr:3lBm8euLP8KEXdu7amkDVbEMNubTpr

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-0-0x00000000000A0000-0x0000000000117000-memory.dmp	family_redline

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2032 2208 WerFault.exe 804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe

pid	pid_target	process	target process
2032	2208	WerFault.exe	804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe

description	pid	process	target process
PID 2208 wrote to memory of 2032	2208	804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe	WerFault.exe
PID 2208 wrote to memory of 2032	2208	804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe	WerFault.exe
PID 2208 wrote to memory of 2032	2208	804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe	WerFault.exe
PID 2208 wrote to memory of 2032	2208	804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe
"C:\Users\Admin\AppData\Local\Temp\804b2380675be1a72c09800f35b0da110a74a61cff92cebaf22182fc93874340.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 120
2⤵
- Program crash
PID:2032

memory/2208-0-0x00000000000A0000-0x0000000000117000-memory.dmp

Filesize
476KB

Download