redline | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
147s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Size

459KB
MD5

616b135f7044939bf0221b31f55318d4
SHA1

1fbf9dcb0fbff73c5de099bf37551a7504b5160e
SHA256

c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0
SHA512

06f90184928f58264418270487a6d0fdfc79d7c9c8b294c0d9f0f80a26e09e2e4d62b8973f2b81bd59066e39f783b7d2f3cbe8e3388e305365f6c57f952fe034
SSDEEP

6144:vfEhUbDPM4jjdpvIN8fp7z5BAOLaozbmA1jn2JQB48FK1MD0X:vfEEDPjjb/1tNneQB48BQX

Score

10^/10

redline magia infostealer

Malware Config

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral17/memory/2204-5-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral17/memory/2204-9-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral17/memory/2204-7-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral17/memory/2204-3-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral17/memory/2204-2-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe

description	pid	process	target process
PID 1592 set thread context of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

960 1592 WerFault.exe c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe

pid	pid_target	process	target process
960	1592	WerFault.exe	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe

description	pid	process	target process
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2200	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 2204	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	AppLaunch.exe
PID 1592 wrote to memory of 960	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	WerFault.exe
PID 1592 wrote to memory of 960	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	WerFault.exe
PID 1592 wrote to memory of 960	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	WerFault.exe
PID 1592 wrote to memory of 960	1592	c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
"C:\Users\Admin\AppData\Local\Temp\c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 144
2⤵
- Program crash
PID:960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-10-0x0000000072CFE000-0x0000000072CFF000-memory.dmp

Filesize
4KB

Download
memory/2204-11-0x0000000072CF0000-0x00000000733DE000-memory.dmp

Filesize
6.9MB

Download
memory/2204-12-0x0000000072CFE000-0x0000000072CFF000-memory.dmp

Filesize
4KB

Download
memory/2204-13-0x0000000072CF0000-0x00000000733DE000-memory.dmp

Filesize
6.9MB

Download