redline | 6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StrangeOstrumV2.exe
Size

356KB
MD5

d16418fbada8f2a6f41b58b0666c2bda
SHA1

918047757fafd633f111fc9c47b90e5611341aab
SHA256

6d8fc5485484ff3a0efee3b5961dd07882f7ab55b472b5884a0a5199ca26f68e
SHA512

0bc4daeb51b6596e248e861b3c293a0d58ffeb46746dd16db42c337fb3b415648d79975af298ea0043393f0063ff43b938ab6097690c756723ce26ef04725fd1
SSDEEP

6144:XYLVGAk69fIESPUSyvC3WvwKP2XYvy07e1hQRpsJQlGNc8NJRxx+G8WM1ofwipTs:XrAk69fNSGpMYP7uh2sJQlGNc8NJRxxE

Score

10^/10

redline infostealer

Malware Config

Extracted

Family

redline

185.196.9.26:6302

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/4300-9-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
Loads dropped DLL 1 IoCs

Processes:

StrangeOstrumV2.exe

pid process

2760 StrangeOstrumV2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

StrangeOstrumV2.exe

description pid process target process

PID 2760 set thread context of 4300 2760 StrangeOstrumV2.exe MSBuild.exe

resource	yara_rule
behavioral1/memory/4300-9-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

pid	process
2760	StrangeOstrumV2.exe

description	pid	process	target process
PID 2760 set thread context of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

StrangeOstrumV2.exe

description	pid	process	target process
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe
PID 2760 wrote to memory of 4300	2760	StrangeOstrumV2.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\StrangeOstrumV2.exe
"C:\Users\Admin\AppData\Local\Temp\StrangeOstrumV2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
416KB

MD5
d922ce4f3346515ca2b68e2087968b2f

SHA1
795d03f4ea0f6d9ea34e54d6bfa89299c6d667ec

SHA256
4bcc0d0119071ae3dcd6377680f762e631591f9dc5ea45a68ad943a48b1f6d1b

SHA512
95fdd75a779422174685c91d9782d9d3607d2f7638fcb94a2a19399317d18c8bbee10cb71738347f55ec87a4b2b705dfbec995182e6f149c28bb76dba0a1c566

Download Submit
memory/2760-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2760-1-0x0000000000010000-0x0000000000072000-memory.dmp

Filesize
392KB

Download
memory/2760-2-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/2760-23-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2760-12-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2760-11-0x00000000772E1000-0x0000000077401000-memory.dmp

Filesize
1.1MB

Download
memory/4300-15-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/4300-14-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/4300-13-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-16-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4300-17-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/4300-18-0x0000000006500000-0x0000000006B18000-memory.dmp

Filesize
6.1MB

Download
memory/4300-19-0x0000000005FF0000-0x00000000060FA000-memory.dmp

Filesize
1.0MB

Download
memory/4300-20-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/4300-21-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4300-22-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/4300-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4300-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download