Overview

overview

10

Static

static

10

b67d29172e...f1.exe

windows7_x64

10

b67d29172e...f1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b67d29172e65df8ad67bb1bcb2a91ef1.exe

  • Size

    107KB

  • MD5

    b67d29172e65df8ad67bb1bcb2a91ef1

  • SHA1

    49c759419071cb33da48a3355e872792112af69d

  • SHA256

    aaf2bb6ec3848842acc9e7c4ce6eca304f3adf4750e18a0ba53ad124445f4826

  • SHA512

    91f23742184cd0341a116e3bd259dbca13ebbf1355a1726167b0a009e2e4cf46d236d3cbedd0b40e4f04c42c4520e7e99140898d3752dbf1d97b03ef52a015e4

Score
10/10
redlinestepme#4discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

stepme#4

C2

51.89.155.45:22595

Attributes
  • auth_value

    cae2ff6a126e46df01eaadfb927c199b

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b67d29172e65df8ad67bb1bcb2a91ef1.exe
    "C:\Users\Admin\AppData\Local\Temp\b67d29172e65df8ad67bb1bcb2a91ef1.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2948-130-0x00000000005D0000-0x00000000005F0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2948-131-0x0000000005580000-0x0000000005B98000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2948-132-0x0000000004F60000-0x0000000004F72000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2948-133-0x0000000005090000-0x000000000519A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2948-134-0x0000000004FC0000-0x0000000004FFC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2948-135-0x0000000005330000-0x00000000053A6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2948-136-0x00000000053B0000-0x0000000005442000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2948-137-0x0000000006150000-0x00000000066F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2948-138-0x0000000005550000-0x000000000556E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2948-139-0x0000000005F30000-0x0000000005F96000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2948-140-0x00000000077A0000-0x0000000007962000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2948-141-0x0000000007EA0000-0x00000000083CC000-memory.dmp
    Filesize

    5.2MB

    Download