redline | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
133s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe
Size

398KB
MD5

1962a9d6f9bb3071aee41ba0612974b4
SHA1

c2fc7ba89e6c27d019b701551be1ac223518d463
SHA256

cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3
SHA512

242a38160ba03d1cafc1e966e6bfeb79485b65d837872733483ce2fa20aa87319943a5be8cc8a536ea85accbd70237560ff2d7a2b1c2830ad66f050388576176
SSDEEP

6144:POrViSWAs3WHexAVklAO8V38RC9M/HdDCnlyPoPGC6:PCiSWLT+VMRC9uenlyKGC6

Score

10^/10

redline darts infostealer

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral14/memory/4108-0-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4644	1772	WerFault.exe	89

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92
PID 1772 wrote to memory of 4108	1772	cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe	92

C:\Users\Admin\AppData\Local\Temp\cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe
"C:\Users\Admin\AppData\Local\Temp\cabcad649e33f7f4e2ee71f0de68902c08004e3587dd364c97b12d067acbd6d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 272
  2⤵
  - Program crash
  PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1772 -ip 1772
1⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
1⤵
PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4108-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4108-1-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/4108-2-0x0000000005310000-0x0000000005316000-memory.dmp

Filesize
24KB

Download
memory/4108-3-0x000000000AE80000-0x000000000B498000-memory.dmp

Filesize
6.1MB

Download
memory/4108-4-0x000000000A970000-0x000000000AA7A000-memory.dmp

Filesize
1.0MB

Download
memory/4108-5-0x000000000A8A0000-0x000000000A8B2000-memory.dmp

Filesize
72KB

Download
memory/4108-6-0x000000000A900000-0x000000000A93C000-memory.dmp

Filesize
240KB

Download
memory/4108-7-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4108-8-0x0000000004E50000-0x0000000004E9C000-memory.dmp

Filesize
304KB

Download
memory/4108-9-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/4108-10-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download