Overview

overview

10

Static

static

b5fc67332e...bc.exe

windows7_x64

10

b5fc67332e...bc.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5fc67332e05420980a00e2e4da7ebbc.exe

  • Size

    432KB

  • MD5

    b5fc67332e05420980a00e2e4da7ebbc

  • SHA1

    19394812eefe2e09ba724a580a5c89309fef924d

  • SHA256

    a67250f4e3194d603043d506b4bc7c6112bd61a56bf3521e1ee1d95b22a17147

  • SHA512

    36d95a4a4841371604a36740a93edc916786acd87e51c402dd2031f81da5ec704aa35e1bb010d7007f8233c3973a8757a962e3c49d13d091b87a3384239e7aa7

Score
10/10
redlinelyla2109infostealer

Malware Config

Extracted

Family

redline

Botnet

lyla2109

C2

213.166.69.181:64650

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
    "C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
      C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
      2⤵
        PID:3100
      • C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
        C:\Users\Admin\AppData\Local\Temp\b5fc67332e05420980a00e2e4da7ebbc.exe
        2⤵
          PID:3532

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b5fc67332e05420980a00e2e4da7ebbc.exe.log
        MD5

        41fbed686f5700fc29aaccf83e8ba7fd

        SHA1

        5271bc29538f11e42a3b600c8dc727186e912456

        SHA256

        df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

        SHA512

        234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

        Download Submit
      • memory/3532-127-0x0000000005700000-0x0000000005701000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3532-121-0x0000000000400000-0x0000000000422000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3532-122-0x000000000041C5E2-mapping.dmp
        Download
      • memory/3532-126-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3532-128-0x0000000005830000-0x0000000005831000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3532-129-0x0000000005760000-0x0000000005761000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3532-130-0x00000000057E0000-0x00000000057E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3532-131-0x00000000056D0000-0x0000000005CD6000-memory.dmp
        Filesize

        6.0MB

        Download
      • memory/3608-118-0x0000000005690000-0x0000000005691000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3608-119-0x0000000005D00000-0x0000000005D01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3608-120-0x0000000005660000-0x00000000056D6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3608-117-0x00000000056E0000-0x00000000056E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3608-115-0x0000000000D50000-0x0000000000D51000-memory.dmp
        Filesize

        4KB

        Download