Overview

overview

10

Static

static

for Luis/ ...df.exe

windows7-x64

10

for Luis/ ...df.exe

windows10-1703-x64

10

for Luis/ ...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    366s
  • max time network
    433s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/09/2022, 02:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    for Luis/ Foundation.pdf.exe

  • Size

    700.0MB

  • MD5

    c029b2ee56752a77b6f2506224ce9d1d

  • SHA1

    1aeb1c211dd367d958e8a49245c2851fb1df6fdd

  • SHA256

    a1d01034ff1527f196438acd996f40c66eb146d50b3e53865a82c8b452e3cdf2

  • SHA512

    edf79d8562faa879e9d21af9e87cb3d8576e6efd93fef93923651a706683a7b8d7820783019a38890d940439343da49438e0f795c862ac7728840de191c8ab38

  • SSDEEP

    12288:FT2RAZPpPvF2WK2MTVc3L/oDQ0tHV1ZRllyI/o75ffxR3GnBjL8nAlA7I:FTY8PtvgH2M5c3LstHVRS75BQBLak

Score
10/10
redline25.9discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

25.9

C2

185.106.92.22:34989

Attributes
  • auth_value

    b54cadcc3d907373e87b436a532d2ffa

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\for Luis\ Foundation.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\for Luis\ Foundation.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Users\Admin\AppData\Local\Temp\for Luis\ Foundation.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\for Luis\ Foundation.pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ Foundation.pdf.exe.log
    Filesize

    1KB

    MD5

    5c01a57bb6376dc958d99ed7a67870ff

    SHA1

    d092c7dfd148ac12b086049d215e6b00bd78628d

    SHA256

    cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4

    SHA512

    e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038

    Download Submit

  • memory/3664-269-0x0000000008F10000-0x0000000008F2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3664-268-0x00000000098A0000-0x0000000009F18000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3664-257-0x0000000008160000-0x00000000081D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3664-253-0x0000000007E80000-0x0000000007ECB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3664-252-0x0000000007830000-0x000000000784C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3664-249-0x00000000078D0000-0x0000000007936000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3664-248-0x0000000007780000-0x00000000077E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3664-229-0x0000000007150000-0x0000000007778000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3664-224-0x0000000004950000-0x0000000004986000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3664-189-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-143-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-173-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-134-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-135-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-136-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-137-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-138-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-139-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-141-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-140-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-142-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-120-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-144-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-145-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-146-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-147-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-148-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-149-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-150-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-151-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-152-0x0000000000490000-0x00000000005B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4548-153-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-154-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-155-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-156-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-157-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-158-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-159-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-160-0x0000000004D00000-0x0000000004DAA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/4548-161-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-162-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-163-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-164-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-165-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-166-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-167-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-168-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-169-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-170-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-171-0x0000000004EB0000-0x0000000004F42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4548-172-0x0000000004F80000-0x0000000004FA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4548-133-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-174-0x0000000004FB0000-0x0000000005300000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4548-175-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-176-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-177-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-178-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-179-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-180-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-181-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-182-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-183-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-184-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-185-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-186-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-187-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-132-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-131-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-130-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-129-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-128-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-127-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-126-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-125-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-124-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-123-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-122-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4548-121-0x0000000077530000-0x00000000776BE000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5048-338-0x0000000005700000-0x000000000574B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5048-310-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/5048-325-0x0000000005BD0000-0x00000000061D6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5048-326-0x0000000005660000-0x0000000005672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5048-327-0x0000000005790000-0x000000000589A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5048-330-0x00000000056C0000-0x00000000056FE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5048-342-0x0000000005AA0000-0x0000000005B32000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5048-343-0x00000000066E0000-0x0000000006BDE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/5048-353-0x0000000006660000-0x000000000667E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5048-354-0x0000000006DB0000-0x0000000006E00000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5048-355-0x0000000006FD0000-0x0000000007192000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5048-356-0x00000000076D0000-0x0000000007BFC000-memory.dmp

    Filesize

    5.2MB

    Download