Overview

overview

10

Static

static

118e8f3dd7...b5.exe

windows7_x64

10

118e8f3dd7...b5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-06-2022 02:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe

  • Size

    3.6MB

  • MD5

    34a6cfdf1745cec12dfbbf98c3b9f9e5

  • SHA1

    11727439dc908ac568b280e9ce83a0abe013df20

  • SHA256

    118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5

  • SHA512

    5e021c59b6aba8029ba22fffcd947502b1901759501338f5b806b35928fd29b5d780121ed923cd209eb8ad4b950d11a134566b9c647d3c6f8a25e95b84138437

Score
10/10
redlinetest1infostealer

Malware Config

Extracted

Family

redline

Botnet

test1

C2

disandillanne.xyz:80

Attributes
  • auth_value

    49b58bceac3797b6c21fd0772031e010

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe
    "C:\Users\Admin\AppData\Local\Temp\118e8f3dd722b00bde8571f3b84cb278c21517e2c97e2795783b55263f44f1b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 476
        2⤵
        • Program crash
        PID:5080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 476
        2⤵
        • Program crash
        PID:3440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 472
        2⤵
        • Program crash
        PID:4196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 444 -ip 444
      1⤵
        PID:1516
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 444 -ip 444
        1⤵
          PID:1524
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 444 -ip 444
          1⤵
            PID:4304

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/380-136-0x0000000000420000-0x0000000000440000-memory.dmp
            Filesize

            128KB

            Download
          • memory/380-135-0x0000000000000000-mapping.dmp
            Download
          • memory/380-141-0x0000000004E70000-0x0000000005488000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/380-142-0x00000000048D0000-0x00000000048E2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/380-143-0x0000000004A00000-0x0000000004B0A000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/380-144-0x0000000004930000-0x000000000496C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/444-131-0x0000000000400000-0x00000000009E8000-memory.dmp
            Filesize

            5.9MB

            Download
          • memory/444-133-0x00000000026B0000-0x0000000002710000-memory.dmp
            Filesize

            384KB

            Download
          • memory/444-145-0x0000000000400000-0x00000000009E8000-memory.dmp
            Filesize

            5.9MB

            Download