Overview

overview

10

Static

static

59713a0684...5f.exe

windows7-x64

10

59713a0684...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59713a068408f7f956a62ea5776a305f.exe

  • Size

    795KB

  • MD5

    59713a068408f7f956a62ea5776a305f

  • SHA1

    b4908968edf3cc51c6e3d7351056c17df60eabb8

  • SHA256

    ef51cd27a4e90f92b82791d972419291ec2aa98bb950e8b64447a8cc4d5207ac

  • SHA512

    b416b5bfabaec0de704ae07b7110635a9485405fae4c45091b564edf76b3a1e2034df7e00944c43df520bd6b7eca6e7e30d3e551fb7ad938ccd5115cb5af7ea6

Score
10/10
redlinetpbdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

TPB

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    9af3f668d2aa93965a3f83753e8ccb3f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59713a068408f7f956a62ea5776a305f.exe
    "C:\Users\Admin\AppData\Local\Temp\59713a068408f7f956a62ea5776a305f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
        PID:1820
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        2⤵
          PID:4880
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2100

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1820-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2100-142-0x0000000005900000-0x000000000593C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2100-143-0x0000000006950000-0x00000000069C6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2100-139-0x0000000005E40000-0x0000000006458000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2100-147-0x000000000A2D0000-0x000000000A7FC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2100-140-0x00000000058A0000-0x00000000058B2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2100-146-0x0000000009650000-0x0000000009812000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/2100-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2100-141-0x00000000059D0000-0x0000000005ADA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2100-145-0x0000000006E10000-0x0000000006E60000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2100-144-0x0000000006D20000-0x0000000006D3E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2100-138-0x0000000000400000-0x0000000000444000-memory.dmp
        Filesize

        272KB

        Download
      • memory/2720-131-0x0000000005840000-0x0000000005862000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2720-130-0x0000000000CE0000-0x0000000000DAC000-memory.dmp
        Filesize

        816KB

        Download
      • memory/2720-132-0x0000000005930000-0x0000000005996000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2720-133-0x0000000033D00000-0x0000000033D92000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2720-134-0x0000000034350000-0x00000000348F4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4880-136-0x0000000000000000-mapping.dmp
        Download