redline | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
133s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe
Size

398KB
MD5

1962a9d6f9bb3071aee41ba0612974b4
SHA1

c2fc7ba89e6c27d019b701551be1ac223518d463
SHA256

cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3
SHA512

242a38160ba03d1cafc1e966e6bfeb79485b65d837872733483ce2fa20aa87319943a5be8cc8a536ea85accbd70237560ff2d7a2b1c2830ad66f050388576176
SSDEEP

6144:POrViSWAs3WHexAVklAO8V38RC9M/HdDCnlyPoPGC6:PCiSWLT+VMRC9uenlyKGC6

Score

10^/10

redline darts infostealer

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral13/memory/3004-5-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral13/memory/3004-3-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral13/memory/3004-2-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral13/memory/3004-9-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral13/memory/3004-7-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2888	WerFault.exe	27

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 3004	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	28
PID 2888 wrote to memory of 2700	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	29
PID 2888 wrote to memory of 2700	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	29
PID 2888 wrote to memory of 2700	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	29
PID 2888 wrote to memory of 2700	2888	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	29

C:\Users\Admin\AppData\Local\Temp\cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe
"C:\Users\Admin\AppData\Local\Temp\cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 92
  2⤵
  - Program crash
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3004-10-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/3004-11-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/3004-12-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3004-13-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download