Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2022, 15:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    523KB

  • MD5

    9224e118f4c08d6d1011ca694be9df3b

  • SHA1

    87799e7f922e8e0170a37c3c73ec7ca0a8b5ca92

  • SHA256

    aadcd7f826198c71e998d31ae4ddd4f219d61ed27338ab7aec0c055749f1bc24

  • SHA512

    597197e5d45712a88a8bda971a1f459228203b774b247efa6c1d405c9878b111b02063124e051b9a5f6eec11f5f220bad443917cd122a6da2b7c9d7cd96c6f8a

  • SSDEEP

    6144:vK8LfFo13WU+kmGbW8m5Oq3zmzZVhnkidyPaiWaXukbSBykZBItx+:S8LfK+mb25OqdEFywI

Score
10/10
redlineinstdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

inst

C2

78.153.144.20:40613

Attributes
  • auth_value

    7c24254e6f334180ca16aeb915f16863

Extracted

Family

redline

C2

81.161.229.143:27938

Attributes
  • auth_value

    6687e352a0604d495c3851d248ebf06f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 10 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Users\Admin\AppData\Local\Temp\323.exe
      "C:\Users\Admin\AppData\Local\Temp\323.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:940
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\323.exe
          Filesize

          137KB

          MD5

          9765dd2ca441a3330941fa56939c0037

          SHA1

          4366dbb2a77b2373e7e9d8a3219816d07cbd4e7e

          SHA256

          bac25cb9a84a38073693bcf767fbaef4e045012e79fa4462c5ef28579c52d704

          SHA512

          8f2e26fde61a54f8b9808411cc5d148af12af4e7253f9e4871ee03d13713a2485752e4282f16dcb17d9d3cd7fc4588f4afb8eb234c70f9fff5c26129af36bfc9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\323.exe
          Filesize

          137KB

          MD5

          9765dd2ca441a3330941fa56939c0037

          SHA1

          4366dbb2a77b2373e7e9d8a3219816d07cbd4e7e

          SHA256

          bac25cb9a84a38073693bcf767fbaef4e045012e79fa4462c5ef28579c52d704

          SHA512

          8f2e26fde61a54f8b9808411cc5d148af12af4e7253f9e4871ee03d13713a2485752e4282f16dcb17d9d3cd7fc4588f4afb8eb234c70f9fff5c26129af36bfc9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\323.exe
          Filesize

          137KB

          MD5

          9765dd2ca441a3330941fa56939c0037

          SHA1

          4366dbb2a77b2373e7e9d8a3219816d07cbd4e7e

          SHA256

          bac25cb9a84a38073693bcf767fbaef4e045012e79fa4462c5ef28579c52d704

          SHA512

          8f2e26fde61a54f8b9808411cc5d148af12af4e7253f9e4871ee03d13713a2485752e4282f16dcb17d9d3cd7fc4588f4afb8eb234c70f9fff5c26129af36bfc9

          Download Submit

        • memory/940-60-0x0000000000CE0000-0x0000000000D08000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1056-54-0x0000000000830000-0x00000000008BA000-memory.dmp

          Filesize

          552KB

          Download

        • memory/1056-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1056-61-0x00000000007E0000-0x00000000007F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1736-63-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-64-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-66-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-67-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-68-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-71-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-73-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1736-74-0x0000000000020000-0x0000000000026000-memory.dmp

          Filesize

          24KB

          Download