redline | cedfb47b22871e12b67b3d7d01e4eb1bcad63bf61dfab89db5acde64cc12832b | Triage

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 11:20

Sharing

Report Analysis Logs

General

Target

tmp.exe
Size

990KB
MD5

9056dca80b3431615d63b13b72ca143c
SHA1

cf9122b3b7f57f0f4cd6ff8303417f1f6279a80c
SHA256

cedfb47b22871e12b67b3d7d01e4eb1bcad63bf61dfab89db5acde64cc12832b
SHA512

13a26a8d261ff4c6d83158ea0d7d99aac670159fca9f2a6b1e180ed9be1bdd5abdceab2fc232774f828c61d3aa267f29cebc22fe3d276fd0ae8d7e4681f38fb2
SSDEEP

12288:dRMAkWbP+k/ldbNxhZcKMMbm8gtnwaJioTTQ3AwHuwZ+U4cxV0q4Z5g1:HMAkCP+k/l7xhZcKMwmSajn/U4cO2

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-0-0x0000000001210000-0x000000000130D000-memory.dmp	family_redline

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1612 2000 WerFault.exe tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 2000 wrote to memory of 1612	2000	tmp.exe	WerFault.exe
PID 2000 wrote to memory of 1612	2000	tmp.exe	WerFault.exe
PID 2000 wrote to memory of 1612	2000	tmp.exe	WerFault.exe
PID 2000 wrote to memory of 1612	2000	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 116
2⤵
- Program crash
PID:1612

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-0-0x0000000001210000-0x000000000130D000-memory.dmp

Filesize
1012KB

Download