redline | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe
Size

461KB
MD5

dd419151f00f410c2e9f6b5a355851ff
SHA1

5eda780b952b3e7904ee5fb94c7fc462dcc9f4b6
SHA256

6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b
SHA512

6dc62e99f3b4872283746fa23fbb925b6a486c72410838e11b02a2789251abc335c246e4616536e3a3199136b851acccb1ebbae07af3963b233f02e5c7ea3641
SSDEEP

12288:29Ov1xnszhKWlFCCCCCCCCCCCCCCCCCCCCCCC+CCCCCCCCCCCCCCCCCCCCCCCUfc:29O9xn8/CCCCCCCCCCCCCCCCCCCCCCCP

Score

10^/10

redline magia infostealer

Malware Config

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral9/memory/2020-8-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2020-2-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2020-5-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2020-3-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral9/memory/2020-9-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2520	1636	WerFault.exe	27

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 864	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	28
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2020	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	29
PID 1636 wrote to memory of 2520	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	30
PID 1636 wrote to memory of 2520	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	30
PID 1636 wrote to memory of 2520	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	30
PID 1636 wrote to memory of 2520	1636	6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe	30

C:\Users\Admin\AppData\Local\Temp\6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe
"C:\Users\Admin\AppData\Local\Temp\6d91ecfeedfc048e057ef390c0a9a12a14dd8dadc74b44e7d17e7d767fa6fb9b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 144
  2⤵
  - Program crash
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2020-10-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-12-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/2020-13-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads