Overview

overview

10

Static

static

95766a747e...0c.exe

windows7_x64

10

95766a747e...0c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    13-04-2022 20:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95766a747e7920c6b82d9411ba71c20c.exe

  • Size

    1.2MB

  • MD5

    95766a747e7920c6b82d9411ba71c20c

  • SHA1

    e9b774afad9c66e7d3c87eaa85924e572ee5704c

  • SHA256

    468628cdcfdb07ec88a16758f4418400a01a7bf2cd191ca28f8b7a762779a2ec

  • SHA512

    f26a0255382f00065715502b1574aa16a85096798c119641b63348fb5edc88e8299c0ddefaae601bedef6914899cc1dd6f6a01152c25d108f574fc8861a2eed2

Score
10/10
metastealerredlinediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

109.107.179.79:47542

Attributes
  • auth_value

    d5efb9c25db8cdc8bd5a2f2ed476bbb1

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95766a747e7920c6b82d9411ba71c20c.exe
    "C:\Users\Admin\AppData\Local\Temp\95766a747e7920c6b82d9411ba71c20c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1708-130-0x0000000000E90000-0x0000000000FCE000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1708-131-0x0000000006000000-0x00000000065A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1708-132-0x0000000005950000-0x00000000059E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1708-133-0x0000000005A00000-0x0000000005A0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1708-134-0x0000000005A50000-0x0000000005FF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2152-136-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2152-137-0x00000000056D0000-0x0000000005CE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2152-138-0x0000000005170000-0x0000000005182000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2152-139-0x00000000052A0000-0x00000000053AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2152-140-0x00000000051D0000-0x000000000520C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2152-141-0x0000000005630000-0x0000000005696000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2152-142-0x0000000006190000-0x0000000006206000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2152-143-0x0000000006950000-0x000000000696E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2152-144-0x0000000006B70000-0x0000000006BC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2152-145-0x0000000007A40000-0x0000000007C02000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2152-146-0x0000000008140000-0x000000000866C000-memory.dmp

    Filesize

    5.2MB

    Download