redline | 292b6242a8248f18030260bd0c373ec14be1362f7f7494bca33e42fcc97580b0

Analysis

max time kernel
132s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 17:56

Target

53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
Size

302KB
MD5

c0e3f771bcbb789d734e7d3e1b1f4e65
SHA1

02e6e5e508188955181ac98bb1b9c414d2c1aa9e
SHA256

53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
SHA512

c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118
SSDEEP

6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR

Score

10^/10

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral7/memory/2188-2-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral7/memory/2188-9-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral7/memory/2188-8-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1244 wrote to memory of 2188	1244	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29

C:\Users\Admin\AppData\Local\Temp\53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
"C:\Users\Admin\AppData\Local\Temp\53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:2188

memory/1244-0-0x0000000000C87000-0x0000000000C88000-memory.dmp

Filesize
4KB

Download
memory/2188-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2188-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2188-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2188-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2188-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2188-10-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2188-11-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/2188-12-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-13-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2188-14-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download