redline | 2dc65011521e7ad60108888f5371fb028a91e927b1073cb9289f80fd02ee1763

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:13

Target

9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe
Size

1.1MB
MD5

74528821220b4f1ffd8a0c91852abd0f
SHA1

2e9219f3fdb0e6341840bf9c58cfc4fca352338b
SHA256

9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0
SHA512

27769622b4c8807c63c8ebee8e166f1fd46fa5cb606f0b54df9fa3f6364ea684011e0e5f749546ffc4c530959deb784c99e52aef2e93228889d9e3225a35577e
SSDEEP

12288:9AxJ1c9psKtwW7IhuOXUPJuI85i8gTohuVohatk6j0O/H9lm0:9i1c9psKtwW7m3iM5i8VKtvj0GH9l

Score

10^/10

Family

redline

Botnet

breha

77.91.124.55:19071

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4000-0-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe

description	pid	process	target process
PID 3088 set thread context of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1332 3088 WerFault.exe 9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe

pid	pid_target	process	target process
1332	3088	WerFault.exe	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe

description	pid	process	target process
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe
PID 3088 wrote to memory of 4000	3088	9e3cf610e66102e164150efe5b2dee630cac04b4e4e29770c91180e956b39df0.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 204
2⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3088 -ip 3088
1⤵
PID:2292

memory/4000-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-1-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/4000-2-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/4000-3-0x00000000077E0000-0x0000000007872000-memory.dmp

Filesize
584KB

Download
memory/4000-4-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/4000-5-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4000-6-0x0000000008880000-0x0000000008E98000-memory.dmp

Filesize
6.1MB

Download
memory/4000-7-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/4000-8-0x0000000007B20000-0x0000000007B32000-memory.dmp

Filesize
72KB

Download
memory/4000-9-0x0000000007B80000-0x0000000007BBC000-memory.dmp

Filesize
240KB

Download
memory/4000-10-0x0000000007BC0000-0x0000000007C0C000-memory.dmp

Filesize
304KB

Download
memory/4000-11-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/4000-12-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download