redline | c65fbeeb19e8ffe3f794dd544812c9626bd23f5c3a685897307f43c45270786c

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 11:48

Target

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe
Size

281KB
MD5

224ebb289e52c9f3a4c2bd583dab2d7c
SHA1

8cc0b7dd2fad4fac37cb87ab3c5027a061fdebb5
SHA256

a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd
SHA512

ea21feaa211f24f25106c5ec7825f575ad9a2e1d582a9908107d9a9b866db2baeedfc6fd4c6034d492c61491bc06d7c5cda14a31bce6e59c24a9c9537d7d2e2f
SSDEEP

6144:Wk65a4mpI1TJe8makPXbhaEW1MvBf5rXweiV/:uMVAJ8PX1aEWapxjm/

Score

10^/10

Family

redline

Botnet

@gennadiy_mudazvonov1

82.115.223.236:26393

Attributes

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral24/memory/1936-1-0x0000000000590000-0x00000000005C2000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 1936	4196	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	84

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1936	4196	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	84
PID 4196 wrote to memory of 1936	4196	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	84
PID 4196 wrote to memory of 1936	4196	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	84
PID 4196 wrote to memory of 1936	4196	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	84
PID 4196 wrote to memory of 1936	4196	a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe	84

C:\Users\Admin\AppData\Local\Temp\a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe
"C:\Users\Admin\AppData\Local\Temp\a4fbd5dfa976d2526590065d16e166ae2ba5b58a17bdcc8d1efbaca35ae55cdd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1936

memory/1936-1-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download
memory/1936-6-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/1936-7-0x0000000005930000-0x0000000005F48000-memory.dmp

Filesize
6.1MB

Download
memory/1936-8-0x00000000072C0000-0x00000000073CA000-memory.dmp

Filesize
1.0MB

Download
memory/1936-9-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1936-10-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/1936-11-0x00000000073D0000-0x000000000740C000-memory.dmp

Filesize
240KB

Download
memory/1936-12-0x0000000007250000-0x000000000729C000-memory.dmp

Filesize
304KB

Download
memory/1936-13-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/1936-14-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4196-0-0x000000000085A000-0x000000000085B000-memory.dmp

Filesize
4KB

Download