redline | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Target

4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe
Size

376KB
MD5

d31797dc0f17f69e5245e0a452aab2b3
SHA1

9bd1e6981d8cde9f7db98540711101cd57ead02c
SHA256

4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b
SHA512

7de1f6f6b7354e684e0850fe3149253cddb01dfe9e7aa692c100e52f62ce5875a73d051a5f90c2a58fb78ea17c4fb46f706ae55c5afb694cf2315370230985f2
SSDEEP

6144:V93K5fykNFVr5ywuibFEr3dyYAOI/CsqfCJijYXF7Z/2wk6CJOn0ttp:V9a5frbVr5ujxu7qfPjZT

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/3320-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe

description	pid	process	target process
PID 228 set thread context of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1540 228 WerFault.exe 4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe

pid	pid_target	process	target process
1540	228	WerFault.exe	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe

description	pid	process	target process
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe
PID 228 wrote to memory of 3320	228	4852dcede8c2a79b77049fad052569e7900c43963519e55522590fd06b2c0e5b.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 368
2⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 228 -ip 228
1⤵
PID:936

memory/3320-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3320-1-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/3320-2-0x0000000007F50000-0x0000000008568000-memory.dmp

Filesize
6.1MB

Download
memory/3320-3-0x00000000079E0000-0x00000000079F2000-memory.dmp

Filesize
72KB

Download
memory/3320-4-0x0000000007B10000-0x0000000007C1A000-memory.dmp

Filesize
1.0MB

Download
memory/3320-5-0x0000000007A40000-0x0000000007A7C000-memory.dmp

Filesize
240KB

Download
memory/3320-6-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3320-7-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

Filesize
304KB

Download
memory/3320-8-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/3320-9-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download