Overview

overview

10

Static

static

4407a748e2...db.exe

windows7_x64

4407a748e2...db.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    14-04-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4407a748e233449d07c814035d0e56db.exe

  • Size

    1.9MB

  • MD5

    4407a748e233449d07c814035d0e56db

  • SHA1

    1dbc95d08dbae1fc1d6e6a4e2f87581ff25c7ec0

  • SHA256

    2c047c4411660565df6518a63bb51220e78a0b51fecdc0c746b270597377669e

  • SHA512

    e50f350f04a15d9391231a7a61b4c61eaa3c3e8518bd48a9dde2fb63fec873b861e147982764308e9f7daca3d3f40f4ca2256cd6defeb304b9cde073a820fbb4

Score
10/10
metastealerredline@ansdvsvsvdinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@ansdvsvsvd

C2

46.8.220.88:65531

Attributes
  • auth_value

    d7b874c6650abbcb219b4f56f4676fee

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4407a748e233449d07c814035d0e56db.exe
    "C:\Users\Admin\AppData\Local\Temp\4407a748e233449d07c814035d0e56db.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/400-144-0x0000000006650000-0x00000000066C6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/400-143-0x0000000005B00000-0x0000000005B66000-memory.dmp
    Filesize

    408KB

    Download
  • memory/400-149-0x0000000007C50000-0x000000000817C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/400-148-0x0000000007550000-0x0000000007712000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/400-139-0x0000000005CB0000-0x00000000062C8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/400-140-0x0000000005740000-0x0000000005752000-memory.dmp
    Filesize

    72KB

    Download
  • memory/400-132-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/400-142-0x00000000057A0000-0x00000000057DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/400-141-0x0000000005870000-0x000000000597A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/400-131-0x0000000000000000-mapping.dmp
    Download
  • memory/400-145-0x0000000006780000-0x0000000006812000-memory.dmp
    Filesize

    584KB

    Download
  • memory/400-146-0x0000000006DD0000-0x0000000007374000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/400-147-0x0000000006850000-0x000000000686E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2116-138-0x0000000000EE3000-0x0000000000EE5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2116-137-0x0000000000300000-0x00000000004E5000-memory.dmp
    Filesize

    1.9MB

    Download