Overview

overview

10

Static

static

Win7: 5min timeout

windows7_x64

10

Win10: 5min timeout

windows10_x64

10

Resubmissions

05-04-2021 09:29

210405-8ga7y7zk36 10

03-04-2021 06:00

210403-gtexn6kycs 10

Analysis

  • max time kernel
    116s
  • max time network
    302s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-04-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup[1].exe

  • Size

    1.3MB

  • MD5

    0657125b7850a7b5796bf6979da502f0

  • SHA1

    686d1ad201f0706daec7dd9bfa60fd1144a7b876

  • SHA256

    c1a85afd7acdaf7ab0d6839cc68d67ca75455fa9fb3d62a95f6579f07899df49

  • SHA512

    879167e0b34e015e62828151a05b785f3f9b99e2826be73fe9afc4d671dedec19c9994d2481c060e453367885ba16cce0252e7049bdb59c5ee90885f6527e10c

Score
10/10
redline010402infostealer

Malware Config

Extracted

Family

redline

Botnet

010402

C2

194.135.20.72:3214

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
    "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
      "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
      2⤵
        PID:2924
      • C:\Users\Admin\AppData\Local\Temp\Setup[1].exe
        "C:\Users\Admin\AppData\Local\Temp\Setup[1].exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4296

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup[1].exe.log
      MD5

      5b50852bf977f644bcd5997b7b5883c1

      SHA1

      8b53694b796620422b366dc5b8dbb3ce3060473c

      SHA256

      667bc8c8d53eddf6355877344b669db4fb9762e6320afc7316c3786213a254a9

      SHA512

      7e794fa7de5eca585000ef840ca821f36205d25b389747339d8b8d58b1ef3cd16306e62288f86027cbe6a76eeccc9dc7634a11c94ba551f3ce42ee874fac712d

      Download Submit
    • memory/4296-15-0x000000000042977E-mapping.dmp
      Download
    • memory/4296-27-0x0000000006140000-0x0000000006141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-26-0x0000000005EE0000-0x0000000005EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-25-0x0000000005EA0000-0x0000000005EA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-24-0x0000000005E40000-0x0000000005E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-23-0x00000000063B0000-0x00000000063B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-22-0x0000000005BE0000-0x0000000005BE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-21-0x0000000005790000-0x0000000005791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-20-0x0000000005690000-0x0000000005691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4296-17-0x0000000073900000-0x0000000073FEE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4296-14-0x0000000000400000-0x0000000000430000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4684-8-0x0000000004C80000-0x0000000004C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-13-0x0000000007F70000-0x0000000007FA1000-memory.dmp
      Filesize

      196KB

      Download
    • memory/4684-12-0x0000000005A00000-0x0000000005A71000-memory.dmp
      Filesize

      452KB

      Download
    • memory/4684-11-0x0000000004CB0000-0x0000000004CBC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4684-10-0x0000000004C60000-0x0000000004C61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-9-0x0000000004F40000-0x0000000004F41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-2-0x0000000073900000-0x0000000073FEE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4684-7-0x0000000004D80000-0x0000000004D81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-6-0x0000000005280000-0x0000000005281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-5-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-3-0x0000000000310000-0x0000000000311000-memory.dmp
      Filesize

      4KB

      Download