redline | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Target

6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Size

580KB
MD5

ebcfc4500d1348332865ccb96be87f5e
SHA1

f78a388d5a8c2718527181efee63aaf139954e0b
SHA256

6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c
SHA512

c87b17990cb308806e2e9048000155d488e3eb36655bb594d4efaaaf09640ea6753dcc1e55d17b55dd14f77a72701594b22e5719eb2cde3d2b5343f5bf277680
SSDEEP

12288:iHU6GzAGLY4kowmI7VujGeY99pTkyIGtISDoxR5xwUiQ:iHbSAGxI7BqyIGtISDoxR5x

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral8/memory/912-0-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1604 set thread context of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1016	1604	WerFault.exe	82

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83
PID 1604 wrote to memory of 912	1604	6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe	83

C:\Users\Admin\AppData\Local\Temp\6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
"C:\Users\Admin\AppData\Local\Temp\6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 384
  2⤵
  - Program crash
  PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1604 -ip 1604
1⤵
PID:3356

memory/912-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/912-1-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/912-2-0x0000000007C30000-0x00000000081D4000-memory.dmp

Filesize
5.6MB

Download
memory/912-3-0x0000000007720000-0x00000000077B2000-memory.dmp

Filesize
584KB

Download
memory/912-4-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/912-5-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/912-6-0x0000000008800000-0x0000000008E18000-memory.dmp

Filesize
6.1MB

Download
memory/912-7-0x00000000078F0000-0x0000000007902000-memory.dmp

Filesize
72KB

Download
memory/912-8-0x0000000007A90000-0x0000000007B9A000-memory.dmp

Filesize
1.0MB

Download
memory/912-9-0x0000000007980000-0x00000000079BC000-memory.dmp

Filesize
240KB

Download
memory/912-10-0x00000000079C0000-0x0000000007A0C000-memory.dmp

Filesize
304KB

Download
memory/912-11-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/912-12-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download