redline | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
131s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe
Size

398KB
MD5

d8f765c09c4b7ccdee780360b63a449b
SHA1

064dbe7139eed5510ecc24a0893b7e02418c4a01
SHA256

7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f
SHA512

f26497744246d6621b72abd70e8e3637026ff6bddf535eaf752834b739390aa4e6dfd830ab66ee429516e264f569f8b1822ad3fc6ab1d5ac6011c008a782a2cd
SSDEEP

12288:guiSWLTVm+lfvADXLo/JHIHFtocDtM+avbiwaQGC6:gsWNcP

Score

10^/10

redline darts infostealer

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral10/memory/2372-5-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral10/memory/2372-3-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral10/memory/2372-2-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral10/memory/2372-9-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral10/memory/2372-7-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe

description	pid	process	target process
PID 1944 set thread context of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2620 1944 WerFault.exe 7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe

pid	pid_target	process	target process
2620	1944	WerFault.exe	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe

description	pid	process	target process
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2372	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	AppLaunch.exe
PID 1944 wrote to memory of 2620	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	WerFault.exe
PID 1944 wrote to memory of 2620	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	WerFault.exe
PID 1944 wrote to memory of 2620	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	WerFault.exe
PID 1944 wrote to memory of 2620	1944	7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe
"C:\Users\Admin\AppData\Local\Temp\7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 92
  2⤵
  - Program crash
  PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-10-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/2372-11-0x00000000005E0000-0x00000000005E6000-memory.dmp

Filesize
24KB

Download
memory/2372-12-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-13-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/2372-14-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download