redline | 2685b451d5bc5d1cd7c159a87efdfacd5a60c314491404e6e60e752ba3db90cf

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 15:27

Target

53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
Size

302KB
MD5

c0e3f771bcbb789d734e7d3e1b1f4e65
SHA1

02e6e5e508188955181ac98bb1b9c414d2c1aa9e
SHA256

53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02
SHA512

c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118
SSDEEP

6144:QWzRT5OXkMMnTDs7UNVS49kCNQSzrs5kLJhHVugiqtciLRcx:X1T5nD7NQSzrs5kLJhHVugiqtciLR

Score

10^/10

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral11/memory/2088-8-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral11/memory/2088-2-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral11/memory/2088-9-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29
PID 1948 wrote to memory of 2088	1948	53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe	29

C:\Users\Admin\AppData\Local\Temp\53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
"C:\Users\Admin\AppData\Local\Temp\53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:2088

memory/1948-0-0x00000000008A7000-0x00000000008A8000-memory.dmp

Filesize
4KB

Download
memory/2088-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-10-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/2088-11-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2088-12-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-13-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/2088-14-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download