redline | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
134s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe
Size

413KB
MD5

d9b1bbeef5c6848bd16a1818f6bf14d4
SHA1

90935fd1d36a1317adc4925ab243bd2b6b3bdb8c
SHA256

472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d
SHA512

e06ccaeb983b83a3086c6bdbabbbad8e8e882c14beb14f3b289c98b096782a42c5f8800849c632873f5978afe513a7bc12a54597a582008c2420ec4c842c9279
SSDEEP

6144:s2Cc1vkeamA7uqck0h6OjAOnHhfGRlk30YXljPVjjyjjLj4RjMjjcjjKj9mJ37:s2J1ceamvBVHhfGg30YXljW037

Score

10^/10

redline darts infostealer

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral3/memory/2264-5-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral3/memory/2264-8-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral3/memory/2264-3-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral3/memory/2264-9-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral3/memory/2264-2-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	1640	WerFault.exe	27

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2264	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	28
PID 1640 wrote to memory of 2152	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	29
PID 1640 wrote to memory of 2152	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	29
PID 1640 wrote to memory of 2152	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	29
PID 1640 wrote to memory of 2152	1640	472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe	29

C:\Users\Admin\AppData\Local\Temp\472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe
"C:\Users\Admin\AppData\Local\Temp\472b4c438a30ae51bf83b08a063b74c043ceb6bb1706403bef38aa3a9afbda4d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 92
  2⤵
  - Program crash
  PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2264-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2264-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2264-10-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/2264-11-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2264-12-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-13-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/2264-14-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download