Overview

overview

10

Static

static

503fb1498e...60.exe

windows7_x64

10

503fb1498e...60.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294178s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    13-04-2022 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    503fb1498e1c257cf61ade325e9a3a60.exe

  • Size

    491KB

  • MD5

    503fb1498e1c257cf61ade325e9a3a60

  • SHA1

    786094aece0a643b4924b02ef98b82c8585394f1

  • SHA256

    32c1e1a834294cc3b4ce9c790c8faf4bd218412859b55b21129ffe991064eeae

  • SHA512

    4b8eb12a82275ae1e084a76aea4293bc502ec71bfef100bf0391e836b520701374430415aac6a5b6b9bf89e815b989f87c0505721d2cbd153b040239c2d246e1

Score
10/10
redlineausdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

AUS

C2

147.189.161.112:42516

Attributes
  • auth_value

    2e0aea8f686e4f39fb1ab50a9d815c7c

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe
    "C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe
      C:\Users\Admin\AppData\Local\Temp\503fb1498e1c257cf61ade325e9a3a60.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/960-55-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-56-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-58-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-60-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-61-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-64-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/960-66-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1592-54-0x0000000000E40000-0x0000000000EC2000-memory.dmp

    Filesize

    520KB

    Download