redline | 6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2

Analysis

max time kernel
299s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/07/2024, 05:03

Target

6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe
Size

537KB
MD5

e72e3e0f37eddc11e9003053604c7ab6
SHA1

2c8fe866e63d022f0da0f67132d14260fc220e24
SHA256

6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2
SHA512

10ff29c4310676f4f198baf12d087b4283bcafa846f626493e9716611b4e815df58073f37018a337654de1d382b31bc7e8ae948dbe1c77e156b89f2c5d8479ac
SSDEEP

12288:GlPvulyUTwW9U9ybMSDttya3WfwsUXo0gIteVvfL/T+jtx:GlPmlyU82Df3NsUTgsCvfL6

Score

10^/10

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2700-1-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76
PID 3444 wrote to memory of 2700	3444	6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe	76

C:\Users\Admin\AppData\Local\Temp\6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe
"C:\Users\Admin\AppData\Local\Temp\6ccec07e798b1400fdb5c6d059b4a7421333c12ec60c566d599e556cd74e53b2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2700

memory/2700-1-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2700-2-0x00000000730CE000-0x00000000730CF000-memory.dmp

Filesize
4KB

Download
memory/2700-3-0x0000000005A40000-0x0000000005F3E000-memory.dmp

Filesize
5.0MB

Download
memory/2700-4-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/2700-5-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/2700-6-0x0000000006950000-0x0000000006F56000-memory.dmp

Filesize
6.0MB

Download
memory/2700-7-0x00000000081B0000-0x00000000082BA000-memory.dmp

Filesize
1.0MB

Download
memory/2700-8-0x00000000080A0000-0x00000000080B2000-memory.dmp

Filesize
72KB

Download
memory/2700-9-0x0000000008100000-0x000000000813E000-memory.dmp

Filesize
248KB

Download
memory/2700-10-0x0000000008140000-0x000000000818B000-memory.dmp

Filesize
300KB

Download
memory/2700-11-0x00000000730CE000-0x00000000730CF000-memory.dmp

Filesize
4KB

Download
memory/3444-0-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download