redline | 460a622d1fa2330e1a73155bc7c80307895e01d21103ecb20e9db863c9ea6a1f

Analysis

max time kernel
30s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:35

Target

github.software.1.2.8.exe
Size

934KB
MD5

0179b1deef023bb8797577cc4d02b4b2
SHA1

89ac3e9ed8c6cf136f291188bfbc0fd9ead5c95a
SHA256

460a622d1fa2330e1a73155bc7c80307895e01d21103ecb20e9db863c9ea6a1f
SHA512

e3052dd2edb787be0cd90b6e2aadb74f632711b381408831b6f21b6952bc8fe41cfe4d086dacd24e59ba891d31b4e5cfa000bb40937cfd02f32ad0f284679642
SSDEEP

24576:jidbdQCtwExZxOFyC0F73Os7mRkpxvZer57DTs23emghGp5q:OwExZxOF9f0mRkppZedo4J/p5q

Score

10^/10

Family

redline

Botnet

red

147.45.44.12:13830

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/4152-1-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
Suspicious use of SetThreadContext 1 IoCs

Processes:

github.software.1.2.8.exe

description pid process target process

PID 3204 set thread context of 4152 3204 github.software.1.2.8.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4472 3204 WerFault.exe github.software.1.2.8.exe

resource	yara_rule
behavioral1/memory/4152-1-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

description	pid	process	target process
PID 3204 set thread context of 4152	3204	github.software.1.2.8.exe	RegAsm.exe

pid	pid_target	process	target process
4472	3204	WerFault.exe	github.software.1.2.8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

github.software.1.2.8.exe

description	pid	process	target process
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe
PID 3204 wrote to memory of 4152	3204	github.software.1.2.8.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 280
2⤵
- Program crash
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3204 -ip 3204
1⤵
PID:1472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1872

memory/3204-0-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4152-1-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4152-2-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/4152-3-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/4152-4-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/4152-5-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/4152-6-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4152-7-0x0000000006650000-0x0000000006C68000-memory.dmp

Filesize
6.1MB

Download
memory/4152-8-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4152-9-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/4152-10-0x0000000005830000-0x000000000586C000-memory.dmp

Filesize
240KB

Download
memory/4152-11-0x0000000005880000-0x00000000058CC000-memory.dmp

Filesize
304KB

Download
memory/4152-12-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/4152-13-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download