redline | 044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 01:01

Target

044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe
Size

501KB
MD5

d88b40ed7f2e8b7e39cd1c21d09bde00
SHA1

d9865029f441f1234580ec18756566b6fe201331
SHA256

044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149
SHA512

c22374565af7f8455c985d70d3d9f5af69f1480fbf2fd02a3ff44e2fe5c9661e0d61814d48f9c3398ddad3de01872a255f23757a30deef34fbadcb8ebbd43c9d
SSDEEP

12288:JYFBqcQcaQVsGRi5xYJQgP4FiKe37a8oz9NSQ1f:JYXqc3sCi5XY4FiKeLPozvx

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000940000-0x00000000009C2000-memory.dmp	family_redline

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2904 2872 WerFault.exe 044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe

pid	pid_target	process	target process
2904	2872	WerFault.exe	044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe

description	pid	process	target process
PID 2872 wrote to memory of 2904	2872	044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe	WerFault.exe
PID 2872 wrote to memory of 2904	2872	044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe	WerFault.exe
PID 2872 wrote to memory of 2904	2872	044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe	WerFault.exe
PID 2872 wrote to memory of 2904	2872	044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe
"C:\Users\Admin\AppData\Local\Temp\044041766e3684b106c4c78a70188a599578f3768457e25d26e0c24fb5a34149.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 68
2⤵
- Program crash
PID:2904

memory/2872-0-0x0000000000940000-0x00000000009C2000-memory.dmp

Filesize
520KB

Download