redline | 78044ff8f74edccd5579136ba1d670ce4f382444735c3885ab0542dd2b77ce63

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 14:45

Target

963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe
Size

493KB
MD5

05d368231aa5fb5e92404aa8c8a8f25b
SHA1

507d0aceed0d6b8204bbdd5d789fb464c32b1158
SHA256

963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b
SHA512

c4eb44baf7fa479b769c249d1231e1ca5b3a3614e4b1e35e562206fe5bc6da56c77faa06ba1d983fa47d1f080f56609cc44ca921fb51eda4a9947e3fb717d27d
SSDEEP

6144:o3nNKoPE2gZB/6fZOE0EUAOO1kKmxBuaLyvJTpkIroVLbyTy//55/766666qZ8x:6nNTPE2CEgRKuuaWvJVFro4TW/Cx

Score

10^/10

Family

redline

Botnet

horda

194.49.94.152:19053

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral8/memory/2940-3-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral8/memory/2940-2-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral8/memory/2940-9-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral8/memory/2940-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral8/memory/2940-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

Processes:

963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe

description	pid	process	target process
PID 2904 set thread context of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe

description	pid	process	target process
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe
PID 2904 wrote to memory of 2940	2904	963caa90e29c238b3f03e62737f229b75eea1ca9df309b4f2016fe5bf9afee8b.exe	AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2940

memory/2940-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-10-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/2940-11-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-12-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/2940-13-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download