Analysis
-
max time kernel
7s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-07-2024 10:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3d9.dll
Resource
win11-20240704-en
4 signatures
150 seconds
General
-
Target
d3d9.dll
-
Size
437KB
-
MD5
106fe1980dbcb4fa2fe0c00b6d6fa7c2
-
SHA1
5cb7eb7be8f3d1641cb458024d868363658a2955
-
SHA256
c0716389100b55b09f46fafef37bb7d120453df3bfb1097dcd30e14bb97c09bc
-
SHA512
c9d48c5f5ecf83012f1cc16581b7bb283265a3808847af46195987c7b0721116fe7241185d67b5d7636080881da5f18df04e57e309ff5a133046dd87ca8d06ce
-
SSDEEP
6144:4eNFZFLuLRQRZXBG7c4KozJDdHOfUyNeqc4DivMf2Qc4YY6WSJbW9gn4U9X7l+gF:JNtYSRZ6FjusyN1c4ClIVQR
Score
10/10
Malware Config
Extracted
Family
redline
C2
185.196.9.26:6302
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3152-3-0x0000000000700000-0x0000000000750000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1352 set thread context of 3152 1352 rundll32.exe 81 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4908 wrote to memory of 1352 4908 rundll32.exe 80 PID 4908 wrote to memory of 1352 4908 rundll32.exe 80 PID 4908 wrote to memory of 1352 4908 rundll32.exe 80 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81 PID 1352 wrote to memory of 3152 1352 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d3d9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d3d9.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3152
-
-