Overview

overview

10

Static

static

1921292380.exe

windows7_x64

10

1921292380.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1921292380.exe

  • Size

    719KB

  • MD5

    0068f1a9d11db46097fae660005c1228

  • SHA1

    1a7fc24cccaa5bfeae87446a22605a0a475bb409

  • SHA256

    88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926

  • SHA512

    75525095421bf3866e4f465ed2ed89759230248ec08064865b6cf0435c254586960ee8c957a06a16a5c4693bd386338ec7554e820d94045674f172c141938a36

Score
10/10
redline1.0.2.0infostealer

Malware Config

Extracted

Family

redline

Botnet

1.0.2.0

C2

185.183.32.227:51498

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1921292380.exe
    "C:\Users\Admin\AppData\Local\Temp\1921292380.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3612
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\Madder.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Users\Admin\AppData\Local\Temp\Madder.exe
        C:\Users\Admin\AppData\Local\Temp\Madder.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Users\Admin\AppData\Local\Temp\Madder.exe
          C:\Users\Admin\AppData\Local\Temp\Madder.exe
          4⤵
          • Executes dropped EXE
          PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Madder.exe.log
    MD5

    41fbed686f5700fc29aaccf83e8ba7fd

    SHA1

    5271bc29538f11e42a3b600c8dc727186e912456

    SHA256

    df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

    SHA512

    234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    cca64b4be9fb45239983d39f3b4b0a5b

    SHA1

    a9e467eeb239642e6f366a73101d64c0dd90f214

    SHA256

    66adad4bd27c9902804db368327c0dceed10fe506e2549e303dd27c703a75082

    SHA512

    9c847679cb8e062f6fbd6a530711440da5e548e29008f2ca73e6081a2d144901777033409a281270d129cd77b449ae3dcaefd728279c8d143eee7bdff731015d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Madder.exe
    MD5

    b8c0aa13740f17c223af874f41f446d1

    SHA1

    d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

    SHA256

    ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

    SHA512

    f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Madder.exe
    MD5

    b8c0aa13740f17c223af874f41f446d1

    SHA1

    d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

    SHA256

    ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

    SHA512

    f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Madder.exe
    MD5

    b8c0aa13740f17c223af874f41f446d1

    SHA1

    d2e9a68e012e5d79852f7c64aee1d3dc28fbfe0e

    SHA256

    ca165fd69131cf44a31bef8e47dbc7b6ba3f08aae5c6f08e0b6a81bc6ae3f35e

    SHA512

    f65a2f997fdcf2b3b0a2afdf3446c7f825430e9f96343485309a59e35431b7d362b5dcf499c02a9154bacfdc482f01e7c577fa089c6eb760e53011d4ad84bd2e

    Download Submit
  • memory/296-131-0x0000000005470000-0x0000000005471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/296-130-0x00000000051A0000-0x00000000051A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/296-123-0x0000000000970000-0x0000000000971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/296-134-0x0000000005980000-0x0000000005981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/296-117-0x0000000000000000-mapping.dmp
    Download
  • memory/296-127-0x0000000005220000-0x0000000005221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1272-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2156-149-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-165-0x0000000004F10000-0x0000000005516000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2156-148-0x0000000005520000-0x0000000005521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-151-0x0000000005020000-0x0000000005021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-143-0x000000000041B23E-mapping.dmp
    Download
  • memory/2156-150-0x00000000050F0000-0x00000000050F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2156-142-0x0000000000400000-0x0000000000432000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2180-138-0x0000000008470000-0x0000000008471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-164-0x00000000087C0000-0x00000000087C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-136-0x0000000007E20000-0x0000000007E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-140-0x0000000001390000-0x0000000001391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-135-0x00000000075B0000-0x00000000075B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-133-0x0000000007450000-0x0000000007451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-132-0x0000000007320000-0x0000000007321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-129-0x0000000004972000-0x0000000004973000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-128-0x0000000004970000-0x0000000004971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-126-0x0000000007680000-0x0000000007681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-125-0x0000000004900000-0x0000000004901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-121-0x0000000001390000-0x0000000001391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-157-0x0000000009210000-0x0000000009243000-memory.dmp
    Filesize

    204KB

    Download
  • memory/2180-137-0x0000000007590000-0x0000000007591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-122-0x0000000001390000-0x0000000001391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-166-0x000000007EFD0000-0x000000007EFD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-172-0x0000000009600000-0x0000000009601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-173-0x0000000009790000-0x0000000009791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-174-0x0000000004973000-0x0000000004974000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2180-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3340-116-0x0000000000000000-mapping.dmp
    Download
  • memory/3612-388-0x0000000000000000-mapping.dmp
    Download
  • memory/3612-403-0x0000000001312000-0x0000000001313000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3612-402-0x0000000001310000-0x0000000001311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3612-424-0x000000007E0E0000-0x000000007E0E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3612-494-0x0000000001313000-0x0000000001314000-memory.dmp
    Filesize

    4KB

    Download