Overview

overview

10

Static

static

10

23b72f054c...4b.exe

windows7-x64

10

23b72f054c...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2022, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23b72f054ccc71fa256aa4dcfbff274b.exe

  • Size

    107KB

  • MD5

    23b72f054ccc71fa256aa4dcfbff274b

  • SHA1

    76468272609998bf85ece205ce5cb063d9fd0aed

  • SHA256

    18426a7fce363e473c0200934a007bc1e3a832f1793236fcca179d734d1a5e1e

  • SHA512

    56599429edd4e0dc6fbf334ae75258ccb629f47fae6aecfd56a51c43ac4c592fbc42a25020bf273e2b264c936bbdda67a197e54935b530c6a38b3b287bbe4fc5

  • SSDEEP

    3072:hcvFBcCYcpiwI9gZFsSiuHE8QcN4qsDHhv4EASNs:hcvafWiukVcNgHhv4jS

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

78.24.216.5:42717

Attributes
  • auth_value

    6687e352a0604d495c3851d248ebf06f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23b72f054ccc71fa256aa4dcfbff274b.exe
    "C:\Users\Admin\AppData\Local\Temp\23b72f054ccc71fa256aa4dcfbff274b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/552-132-0x00000000003C0000-0x00000000003E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/552-133-0x00000000052B0000-0x00000000058C8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/552-134-0x0000000004D50000-0x0000000004D62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/552-135-0x0000000004E80000-0x0000000004F8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/552-136-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/552-137-0x00000000050E0000-0x0000000005146000-memory.dmp

    Filesize

    408KB

    Download

  • memory/552-138-0x0000000005C50000-0x0000000005CC6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/552-139-0x0000000005D90000-0x0000000005E22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/552-140-0x00000000063E0000-0x0000000006984000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/552-141-0x0000000005F60000-0x0000000005F7E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/552-142-0x0000000006B60000-0x0000000006D22000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/552-143-0x0000000007970000-0x0000000007E9C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/552-144-0x0000000006AC0000-0x0000000006B10000-memory.dmp

    Filesize

    320KB

    Download