Overview

overview

10

Static

static

b2ea7a9d25...8b.exe

windows7_x64

10

b2ea7a9d25...8b.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-10-2021 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2ea7a9d25b82319f1dc39b3da1dc38b.exe

  • Size

    383KB

  • MD5

    b2ea7a9d25b82319f1dc39b3da1dc38b

  • SHA1

    a9dfe41eaad0b74db20bb4ee2daa890d00d7b3dc

  • SHA256

    ec59c46ebb679e7f4493c95caf7fe531a53070f8575fcb6ddee5754bfbcdc5ef

  • SHA512

    547c2a364ea549773adc464255bf548fa3b138eb1c1591ca4441ab17c5ede68248981a965d75170994e5ba0855548c24994ee8c6d5379f29911418c382a55731

Score
10/10
redlinetm2110discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

TM2110

C2

109.248.11.240:17314

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2ea7a9d25b82319f1dc39b3da1dc38b.exe
    "C:\Users\Admin\AppData\Local\Temp\b2ea7a9d25b82319f1dc39b3da1dc38b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\b2ea7a9d25b82319f1dc39b3da1dc38b.exe
      C:\Users\Admin\AppData\Local\Temp\b2ea7a9d25b82319f1dc39b3da1dc38b.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b2ea7a9d25b82319f1dc39b3da1dc38b.exe.log
    MD5

    41fbed686f5700fc29aaccf83e8ba7fd

    SHA1

    5271bc29538f11e42a3b600c8dc727186e912456

    SHA256

    df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

    SHA512

    234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

    Download Submit

  • memory/600-130-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-121-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/600-127-0x0000000005030000-0x0000000005031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-137-0x00000000071D0000-0x00000000071D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-128-0x0000000004F80000-0x0000000004F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-122-0x000000000041852A-mapping.dmp

    Download

  • memory/600-125-0x00000000054F0000-0x00000000054F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-129-0x0000000004EE0000-0x00000000054E6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/600-136-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-133-0x0000000005E60000-0x0000000005E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-126-0x0000000004F00000-0x0000000004F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-131-0x00000000052B0000-0x00000000052B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-115-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-118-0x0000000004F40000-0x0000000004F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-119-0x0000000005160000-0x0000000005161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-120-0x0000000005670000-0x0000000005671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-117-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

    Filesize

    4KB

    Download