redline | 471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:46

Target

471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe
Size

141KB
MD5

b9f762b1e51df7b8df10fb4bec204754
SHA1

5fa0988eb0fec59db77e625568fe57fdedd840cc
SHA256

471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c
SHA512

d18e243be62963465ef2da1857fca1422bf89e8925d1ead98b8ad3aa0c182083474c209091f292f20f39a0c6603f65c5e91c502d54452c11d54f13f3b45b4a70
SSDEEP

3072:5K1JZOpTvVQZ+rcIeRYs6YmszJqoD2z7BpGGoMTb3R35dINX9r5Px8:IOpu0rjeRbVJqoD+1pGGoMTb3RDINN

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2436-1-0x0000000000300000-0x000000000032A000-memory.dmp	family_redline

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2488 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2488 taskkill.exe

pid	process
2488	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2488	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.execmd.exe

description	pid	process	target process
PID 2436 wrote to memory of 2200	2436	471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe	cmd.exe
PID 2436 wrote to memory of 2200	2436	471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe	cmd.exe
PID 2436 wrote to memory of 2200	2436	471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe	cmd.exe
PID 2436 wrote to memory of 2200	2436	471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe	cmd.exe
PID 2200 wrote to memory of 2488	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2488	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2488	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2488	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2732	2200	cmd.exe	choice.exe
PID 2200 wrote to memory of 2732	2200	cmd.exe	choice.exe
PID 2200 wrote to memory of 2732	2200	cmd.exe	choice.exe
PID 2200 wrote to memory of 2732	2200	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe
"C:\Users\Admin\AppData\Local\Temp\471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 2436 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\471afcc5af89d0add85cfb019bec06c6c7e6178fd0bbfbdea7f9e821fad5d17c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

memory/2436-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2436-1-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/2436-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-3-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download