redline | ae29634c421e7fae872a93c040b896ad770641124691367109255096c87422ba

Analysis

max time kernel
134s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 08:42

Target

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe
Size

281KB
MD5

224ebb289e52c9f3a4c2bd583dab2d7c
SHA1

8cc0b7dd2fad4fac37cb87ab3c5027a061fdebb5
SHA256

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd
SHA512

ea21feaa211f24f25106c5ec7825f575ad9a2e1d582a9908107d9a9b866db2baeedfc6fd4c6034d492c61491bc06d7c5cda14a31bce6e59c24a9c9537d7d2e2f
SSDEEP

6144:Wk65a4mpI1TJe8makPXbhaEW1MvBf5rXweiV/:uMVAJ8PX1aEWapxjm/

Score

10^/10

Family

redline

Botnet

@gennadiy_mudazvonov1

82.115.223.236:26393

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/2248-2-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral16/memory/2248-8-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral16/memory/2248-9-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe

description	pid	Process	procid_target
PID 2812 set thread context of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe

description	pid	Process	procid_target
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29
PID 2812 wrote to memory of 2248	2812	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	29

C:\Users\Admin\AppData\Local\Temp\a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe
"C:\Users\Admin\AppData\Local\Temp\a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2248

memory/2248-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2248-10-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2248-11-0x000000007413E000-0x000000007413F000-memory.dmp

Filesize
4KB

Download
memory/2812-0-0x000000000003A000-0x000000000003B000-memory.dmp

Filesize
4KB

Download