Overview

overview

10

Static

static

9

MAN/Engine.js

windows7_x64

1

MAN/Engine.js

windows10_x64

1

MAN/Installer.exe

windows7_x64

10

MAN/Installer.exe

windows10_x64

10

MAN/xNet.dll

windows7_x64

1

MAN/xNet.dll

windows10_x64

1

Resubmissions

31-07-2021 10:54

210731-ndslnzbtqn 10

30-07-2021 23:41

210730-flyceenazx 10

Analysis

  • max time kernel
    56s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    31-07-2021 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MAN/Installer.exe

  • Size

    1.6MB

  • MD5

    8a1995805ad65999ec546a1074ac9887

  • SHA1

    11d5589ca5ebb127ea57b89ee5da89e0b64fa4c6

  • SHA256

    2040517dac0b553d4a589bb8c14ca4329022e0ce5e5d0ef0f2c08a2deb10fb5b

  • SHA512

    cad4e187956e4db24d291ea725caf89439440eb97ebe9fa76438b76ada66ecc01a4143bf688c6506ec5148c79338e7f581305d2cb8ad17552c558c62706ae777

Score
10/10
redlinemastifinfostealer

Malware Config

Extracted

Family

redline

Botnet

mastif

C2

91.121.146.23:9519

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\MAN\Installer.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Installer.exe.log
    MD5

    5b50852bf977f644bcd5997b7b5883c1

    SHA1

    8b53694b796620422b366dc5b8dbb3ce3060473c

    SHA256

    667bc8c8d53eddf6355877344b669db4fb9762e6320afc7316c3786213a254a9

    SHA512

    7e794fa7de5eca585000ef840ca821f36205d25b389747339d8b8d58b1ef3cd16306e62288f86027cbe6a76eeccc9dc7634a11c94ba551f3ce42ee874fac712d

    Download Submit
  • memory/3244-119-0x0000000001AC0000-0x0000000001AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3244-118-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3244-124-0x0000000005F60000-0x0000000005F7C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/3244-116-0x0000000003480000-0x0000000003481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3244-120-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3244-121-0x0000000005A70000-0x0000000005A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3244-122-0x0000000001940000-0x000000000194B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3244-123-0x0000000008090000-0x0000000008117000-memory.dmp
    Filesize

    540KB

    Download
  • memory/3244-114-0x0000000000F30000-0x0000000000F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3244-117-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-135-0x0000000005390000-0x0000000005391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-126-0x0000000000418E3A-mapping.dmp
    Download
  • memory/3860-130-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-131-0x0000000002A80000-0x0000000002A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-132-0x0000000005100000-0x0000000005101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-133-0x0000000002BC0000-0x0000000002BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-134-0x0000000002A60000-0x0000000002A72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3860-125-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download