Overview

overview

10

Static

static

183a84c3d5...7c.exe

windows7_x64

10

183a84c3d5...7c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    26s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    02-02-2022 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    183a84c3d59fa6de2b34b5ccbc32637c.exe

  • Size

    489KB

  • MD5

    183a84c3d59fa6de2b34b5ccbc32637c

  • SHA1

    6e30576335ccda4544d4120af63317e634dc49ed

  • SHA256

    d0eed3b006b239de23f8fc768ad6afcb82d6e7e435081602f0aeb2a0d639614e

  • SHA512

    bb273052914d30ad66191950a301f9899cf28d7ac52ea3d0a1c1cf1e02f8ffcfccffce031533fcf5d6b39aaf139185dcce683f32fe4b01e55bcb4d21291fa495

Score
10/10
redline1infostealer

Malware Config

Extracted

Family

redline

Botnet

1

C2

stata2021.best:21675

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\183a84c3d59fa6de2b34b5ccbc32637c.exe
    "C:\Users\Admin\AppData\Local\Temp\183a84c3d59fa6de2b34b5ccbc32637c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\183a84c3d59fa6de2b34b5ccbc32637c.exe
      C:\Users\Admin\AppData\Local\Temp\183a84c3d59fa6de2b34b5ccbc32637c.exe
      2⤵
        PID:1680
      • C:\Users\Admin\AppData\Local\Temp\183a84c3d59fa6de2b34b5ccbc32637c.exe
        C:\Users\Admin\AppData\Local\Temp\183a84c3d59fa6de2b34b5ccbc32637c.exe
        2⤵
          PID:4696
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe f2696bf899cf842b55fc33719c5f95dd RnW1TiaOoESXGdlbXssfvQ.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:1420
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2872

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\183a84c3d59fa6de2b34b5ccbc32637c.exe.log
        MD5

        e5352797047ad2c91b83e933b24fbc4f

        SHA1

        9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

        SHA256

        b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

        SHA512

        dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

        Download Submit
      • memory/2872-180-0x0000019484130000-0x0000019484140000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2872-181-0x0000019484190000-0x00000194841A0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2872-182-0x00000194871F0000-0x00000194871F4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3380-130-0x0000000000C00000-0x0000000000C80000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3380-133-0x0000000005670000-0x00000000056E6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3380-152-0x00000000055B0000-0x00000000055CE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3380-178-0x0000000005CE0000-0x0000000006284000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4696-183-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4696-190-0x0000000005DD0000-0x00000000063E8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4696-191-0x00000000057B0000-0x00000000057C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4696-192-0x00000000058E0000-0x00000000059EA000-memory.dmp
        Filesize

        1.0MB

        Download