redline | ae29634c421e7fae872a93c040b896ad770641124691367109255096c87422ba

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 08:42

Target

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe
Size

281KB
MD5

224ebb289e52c9f3a4c2bd583dab2d7c
SHA1

8cc0b7dd2fad4fac37cb87ab3c5027a061fdebb5
SHA256

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd
SHA512

ea21feaa211f24f25106c5ec7825f575ad9a2e1d582a9908107d9a9b866db2baeedfc6fd4c6034d492c61491bc06d7c5cda14a31bce6e59c24a9c9537d7d2e2f
SSDEEP

6144:Wk65a4mpI1TJe8makPXbhaEW1MvBf5rXweiV/:uMVAJ8PX1aEWapxjm/

Score

10^/10

Family

redline

Botnet

@gennadiy_mudazvonov1

82.115.223.236:26393

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral17/memory/4036-2-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe

description	pid	Process	procid_target
PID 4100 set thread context of 4036	4100	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	85

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe

description	pid	Process	procid_target
PID 4100 wrote to memory of 4036	4100	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	85
PID 4100 wrote to memory of 4036	4100	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	85
PID 4100 wrote to memory of 4036	4100	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	85
PID 4100 wrote to memory of 4036	4100	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	85
PID 4100 wrote to memory of 4036	4100	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	85

C:\Users\Admin\AppData\Local\Temp\a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe
"C:\Users\Admin\AppData\Local\Temp\a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4036

memory/4036-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4036-6-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/4036-8-0x0000000007BE0000-0x0000000007CEA000-memory.dmp

Filesize
1.0MB

Download
memory/4036-7-0x0000000006360000-0x0000000006978000-memory.dmp

Filesize
6.1MB

Download
memory/4036-9-0x00000000062E0000-0x00000000062F2000-memory.dmp

Filesize
72KB

Download
memory/4036-10-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4036-11-0x0000000007DB0000-0x0000000007DEC000-memory.dmp

Filesize
240KB

Download
memory/4036-12-0x0000000007DF0000-0x0000000007E3C000-memory.dmp

Filesize
304KB

Download
memory/4036-13-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/4036-14-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4100-0-0x00000000001AA000-0x00000000001AB000-memory.dmp

Filesize
4KB

Download