redline | 5d8813c8888c16b7fd0a4a71b54b2037cb12570ee9ef96d50cfacb4c7bfe926e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 00:27

Target

OwnCheat.exe
Size

524KB
MD5

59e24336505eff626ece7419c9314d1e
SHA1

70c4294e910f9e2980c45989c349c625a9fb82b0
SHA256

5d8813c8888c16b7fd0a4a71b54b2037cb12570ee9ef96d50cfacb4c7bfe926e
SHA512

4602d33d9c73f135ff29ecfc4966f72c44a10428c49d2bb77714ccca0792b1ea9e5aaa250ebc1717c8051296d2b37cbd8c6744a42d2b934c0acfdb360a7b4050
SSDEEP

12288:uKVvbfv5NToZQRDJV4hNAsDGrakzBP666juEO:rD5N8kP4hNAsK22P666jut

Score

10^/10

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/460-1-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 460	2060	OwnCheat.exe	93

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4644	2060	OwnCheat.exe	92
PID 2060 wrote to memory of 4644	2060	OwnCheat.exe	92
PID 2060 wrote to memory of 4644	2060	OwnCheat.exe	92
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93
PID 2060 wrote to memory of 460	2060	OwnCheat.exe	93

C:\Users\Admin\AppData\Local\Temp\OwnCheat.exe
"C:\Users\Admin\AppData\Local\Temp\OwnCheat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:4616

memory/460-6-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/460-8-0x0000000006220000-0x000000000632A000-memory.dmp

Filesize
1.0MB

Download
memory/460-2-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/460-3-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/460-4-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/460-5-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/460-1-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/460-13-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/460-10-0x00000000061B0000-0x00000000061EC000-memory.dmp

Filesize
240KB

Download
memory/460-9-0x0000000006150000-0x0000000006162000-memory.dmp

Filesize
72KB

Download
memory/460-7-0x0000000006590000-0x0000000006BA8000-memory.dmp

Filesize
6.1MB

Download
memory/460-11-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/460-12-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/2060-0-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download