Overview

overview

10

Static

static

a08729a8e9...4b.exe

windows7_x64

10

a08729a8e9...4b.exe

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    27-09-2021 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a08729a8e9457d19abe9c26fb148c74b.exe

  • Size

    431KB

  • MD5

    a08729a8e9457d19abe9c26fb148c74b

  • SHA1

    d1451fdf426c4b95dbdc1068d0cb5628db6e4a40

  • SHA256

    5940f101c2313af56b4a56a059c9bc99db6384c9d5b2c78d214dcbb4925da303

  • SHA512

    65d928d0ebbd312e02e23492b1fd1b140f19d935bc8851233a6807d8827b23963b9ebc3d77946d630483e26fbd60015e924b81a6bd37296ef9ab1a62fd3c1054

Score
10/10
redline@rulojadiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@Ruloja

C2

45.147.197.123:31820

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a08729a8e9457d19abe9c26fb148c74b.exe
    "C:\Users\Admin\AppData\Local\Temp\a08729a8e9457d19abe9c26fb148c74b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\a08729a8e9457d19abe9c26fb148c74b.exe
      C:\Users\Admin\AppData\Local\Temp\a08729a8e9457d19abe9c26fb148c74b.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a08729a8e9457d19abe9c26fb148c74b.exe.log
    MD5

    41fbed686f5700fc29aaccf83e8ba7fd

    SHA1

    5271bc29538f11e42a3b600c8dc727186e912456

    SHA256

    df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

    SHA512

    234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

    Download Submit

  • memory/2164-117-0x0000000004E20000-0x0000000004E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-118-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-119-0x0000000005080000-0x0000000005081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-120-0x0000000005590000-0x0000000005591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-115-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-126-0x0000000005390000-0x0000000005391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-122-0x000000000041C5DE-mapping.dmp

    Download

  • memory/2896-121-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2896-127-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-128-0x0000000004F10000-0x0000000004F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-129-0x0000000004E40000-0x0000000004E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-130-0x0000000004E80000-0x0000000004E81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-131-0x0000000004D80000-0x0000000005386000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2896-132-0x0000000006850000-0x0000000006851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-133-0x0000000006F50000-0x0000000006F51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-136-0x0000000006B40000-0x0000000006B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2896-138-0x0000000007980000-0x0000000007981000-memory.dmp

    Filesize

    4KB

    Download