redline | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Size

459KB
MD5

c71d4dd80ac8735935cb38cd6a88f63c
SHA1

f5184d6ea3c45ddf32c88100add62f6967ffc760
SHA256

5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd
SHA512

633872b337c98d3b9851d5661fa821962f378c7eafcf10cdfb9128c71cb6ab9511ebbdee3acf5ea4ecffb42a2996c6e29f9c6ceba31b71156ec82246b41b03a0
SSDEEP

6144:gfDhrbDPM4jjdpvIN8fp7z5BAOQwbTaJTZeOY23bE4Z40BOkj/OM5/QjC0X:gfDRDPjjb/+aaRx3b9Z7BOkj2MtQjbX

Score

10^/10

redline magia infostealer

Malware Config

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral9/memory/2256-5-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2256-3-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2256-2-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2256-7-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2256-9-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe

description	pid	process	target process
PID 2816 set thread context of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1336 2816 WerFault.exe 5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe

pid	pid_target	process	target process
1336	2816	WerFault.exe	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe

description	pid	process	target process
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 2256	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	AppLaunch.exe
PID 2816 wrote to memory of 1336	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	WerFault.exe
PID 2816 wrote to memory of 1336	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	WerFault.exe
PID 2816 wrote to memory of 1336	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	WerFault.exe
PID 2816 wrote to memory of 1336	2816	5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
"C:\Users\Admin\AppData\Local\Temp\5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 136
2⤵
- Program crash
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2256-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2256-10-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/2256-11-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-12-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/2256-13-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download