Overview

overview

10

Static

static

a508db52da...01.exe

windows7_x64

10

a508db52da...01.exe

windows10_x64

10

Analysis

  • max time kernel
    28s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a508db52daeb8b346612062b9080b301.exe

  • Size

    371KB

  • MD5

    a508db52daeb8b346612062b9080b301

  • SHA1

    892023f25f110e41be76bb778bfe0ed36fe71145

  • SHA256

    420b49fe0c671b7cad57dcdee0839d65c565c5e84a00c0470e5fe7380248d452

  • SHA512

    69e56b26957c7a5e0af85bc16db2083675a2fdc35727ea6d099478fec8e0b3844da98d8ce92ef0ab5c219d58de8b725a007e6f9f0483e32c432f20951fe24c6d

Score
10/10
redlineatomsdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

atoms

C2

176.96.238.188:20427

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe
    "C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe
      C:\Users\Admin\AppData\Local\Temp\a508db52daeb8b346612062b9080b301.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a508db52daeb8b346612062b9080b301.exe.log
    MD5

    41fbed686f5700fc29aaccf83e8ba7fd

    SHA1

    5271bc29538f11e42a3b600c8dc727186e912456

    SHA256

    df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

    SHA512

    234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

    Download Submit

  • memory/192-129-0x00000000053F0000-0x00000000053F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-120-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/192-126-0x0000000005140000-0x0000000005141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-136-0x00000000072D0000-0x00000000072D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-127-0x0000000005180000-0x0000000005181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-121-0x000000000041884A-mapping.dmp

    Download

  • memory/192-124-0x0000000005690000-0x0000000005691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-128-0x0000000005080000-0x0000000005686000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/192-133-0x0000000006950000-0x0000000006951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-131-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-125-0x00000000050E0000-0x00000000050E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/192-130-0x00000000066A0000-0x00000000066A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-114-0x0000000000940000-0x0000000000941000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-117-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-118-0x0000000005360000-0x0000000005361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-119-0x00000000058E0000-0x00000000058E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-116-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download