Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2022 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    434KB

  • MD5

    a02c32933a9afef8c2c3f624d8e0a50c

  • SHA1

    0e91dc7fe61aaab801c8492fcbaf623090c31ab8

  • SHA256

    7110b169b91367725a879b62e6a678126757daf30a942e55ad6b8fee54a446db

  • SHA512

    e3f7ba98fbb8bc2042b957a432bdda3159bcfee8779c60e297a5d650e6b005ebe3f645140d9c2beef5dd1dbecfad47c0c2bb2c97a2ee80b56a7e4e0b485a2696

  • SSDEEP

    6144:NlRF9a28qZ/8zBuMEaBChkJGRwfqUKDPp5xI/nG7:1fP8Y88MEawk/nI

Score
10/10
redlinenam6.1infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

nam6.1

C2

103.89.90.61:34589

Attributes
  • auth_value

    5a3c8b8880f6d03e2acaaa0ba12776e3

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3116-139-0x0000000007520000-0x000000000762A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3116-141-0x0000000005360000-0x00000000053D6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3116-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3116-136-0x0000000000360000-0x0000000000380000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3116-137-0x0000000005B70000-0x0000000006188000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3116-138-0x00000000073F0000-0x0000000007402000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3116-147-0x0000000007C00000-0x0000000007C50000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3116-140-0x0000000007460000-0x000000000749C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3116-146-0x0000000008970000-0x0000000008E9C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3116-142-0x0000000005480000-0x0000000005512000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3116-143-0x0000000007CC0000-0x0000000008264000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3116-144-0x0000000005460000-0x000000000547E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3116-145-0x0000000008270000-0x0000000008432000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4776-132-0x0000000000F00000-0x0000000000F72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4776-133-0x00000000058B0000-0x0000000005916000-memory.dmp
    Filesize

    408KB

    Download