redline | 292b6242a8248f18030260bd0c373ec14be1362f7f7494bca33e42fcc97580b0

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
Size

302KB
MD5

c0e3f771bcbb789d734e7d3e1b1f4e65
SHA1

02e6e5e508188955181ac98bb1b9c414d2c1aa9e
SHA256

53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
SHA512

c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118
SSDEEP

6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR

Score

10^/10

redline crazy infostealer

Malware Config

Extracted

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

auth_value
66bc4d9682ea090eef64a299ece12fdd

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral8/memory/1328-1-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 1328	4536	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4928	4536	WerFault.exe	80

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 1328	4536	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	82
PID 4536 wrote to memory of 1328	4536	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	82
PID 4536 wrote to memory of 1328	4536	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	82
PID 4536 wrote to memory of 1328	4536	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	82
PID 4536 wrote to memory of 1328	4536	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	82

C:\Users\Admin\AppData\Local\Temp\53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
"C:\Users\Admin\AppData\Local\Temp\53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 152
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4536 -ip 4536
1⤵
PID:1156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1328-6-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/1328-7-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/1328-8-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/1328-9-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/1328-10-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/1328-11-0x00000000050D0000-0x000000000510C000-memory.dmp

Filesize
240KB

Download
memory/1328-12-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/1328-13-0x0000000005110000-0x000000000515C000-memory.dmp

Filesize
304KB

Download
memory/1328-14-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/1328-15-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-5-0x0000000000BD7000-0x0000000000BD8000-memory.dmp

Filesize
4KB

Download