Overview

overview

10

Static

static

10

379a6a4f7b...eb.exe

windows7-x64

10

379a6a4f7b...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2022 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    379a6a4f7be0d0e21a5e5b996ea8aeeb.exe

  • Size

    1.2MB

  • MD5

    379a6a4f7be0d0e21a5e5b996ea8aeeb

  • SHA1

    27df283dcb89ee72f304df89d3938239acc32439

  • SHA256

    3080f7ed1cb9ec8fbf4c0cf992bd0eb9dba5f69d0342f58ebcc8943d28c77a97

  • SHA512

    e6705fc43877d4f46052f03dbd0a17cdc5afee7b2d6eec4f944556d005a613e9b356361ad3df9cb5164925f5429109d348a4c0b90018220047f8956d9b32f4b8

Score
10/10
redlinelogsdiller cloud (sup: @mr_golds)infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Sup: @mr_golds)

C2

193.233.193.14:8163

Attributes
  • auth_value

    56c6f7b9024c076f0a96931453da7e56

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\379a6a4f7be0d0e21a5e5b996ea8aeeb.exe
    "C:\Users\Admin\AppData\Local\Temp\379a6a4f7be0d0e21a5e5b996ea8aeeb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:187944
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:188204
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:188204 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:188304

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    345732012fdfe319a693a519b4243758

    SHA1

    5f380e81606e1a72b6118753ffa68199b537f37a

    SHA256

    83b9ced56062c5ffc817179ebe38b850404b51eb299026315a010eb4d97805e0

    SHA512

    6e58295fbea17e3a74e6aad226e1b3164168ce211aba869ab9502f507b8f45eb674d4a3c51fabb887dc2aa36afaa1a943067b800e6d1ef21ca6a088bf8ea04ad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BVWK5DN.txt
    Filesize

    607B

    MD5

    88e17640d0ad96d4410e30de6a82d30a

    SHA1

    966a46ebac7ce4424a24f6c25309e59469957be1

    SHA256

    3ac04aa0ef23127e3a7f365e65b5fd55f81f19c0761e62a1f8d2059f9bbebaa7

    SHA512

    9ab9ac37a69bdf1026f3431f5def5cdc6cdbb4e0e56e0f46ddbe819cb0760b95a1c16e21f6ac22936f749bc95adc9f9b365bf1b1fa0d9d57d5729c5cd1783fb5

    Download Submit

  • memory/187944-54-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/187944-56-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/187944-61-0x000000000041AE1E-mapping.dmp

    Download

  • memory/187944-62-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/187944-63-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/187944-64-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

    Download