redline | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
144s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Target

2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe
Size

461KB
MD5

f00def9d28e0765f7d1660e542ac36b4
SHA1

8698ee29d45df86585c19e6835db53ee6b0872f1
SHA256

2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5
SHA512

f2c18a6ff68c5da7e4afbe86fb5ad50e0d0bdd5db7889dfc508640f963bb911246929945b2db2f263c1b13847db55f3d6a49df638805ecec3d22e288a93df54c
SSDEEP

6144:ZUJEOvl/jTFn4F31HJybyv5AOCfcMOvFQHPFtJWP5ZivTjnrjOP:ZJOv1xnszhIU4jEfEX

Score

10^/10

Family

redline

Botnet

magia

77.91.124.55:19071

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2236-0-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe

description	pid	process	target process
PID 2240 set thread context of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2376 2240 WerFault.exe 2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe

pid	pid_target	process	target process
2376	2240	WerFault.exe	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe

description	pid	process	target process
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe
PID 2240 wrote to memory of 2236	2240	2e6c446801978c45f270ec540c0c9884a83b944218fb00b16d7091ab41c28ca5.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 416
2⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2240 -ip 2240
1⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3844

memory/2236-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-1-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/2236-2-0x0000000008270000-0x0000000008814000-memory.dmp

Filesize
5.6MB

Download
memory/2236-3-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/2236-4-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/2236-5-0x0000000007D70000-0x0000000007D7A000-memory.dmp

Filesize
40KB

Download
memory/2236-6-0x0000000008E40000-0x0000000009458000-memory.dmp

Filesize
6.1MB

Download
memory/2236-7-0x0000000008020000-0x000000000812A000-memory.dmp

Filesize
1.0MB

Download
memory/2236-8-0x0000000007F50000-0x0000000007F62000-memory.dmp

Filesize
72KB

Download
memory/2236-9-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

Filesize
240KB

Download
memory/2236-10-0x0000000008130000-0x000000000817C000-memory.dmp

Filesize
304KB

Download
memory/2236-11-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/2236-12-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download