Overview

overview

10

Static

static

ByteSize.dll

windows10-2004-x64

1

DeviceId.dll

windows10-2004-x64

1

DotRas.dll

windows10-2004-x64

1

DryIoc.dll

windows10-2004-x64

1

Loader.exe

windows10-2004-x64

10

language/d...es.dll

windows10-2004-x64

1

language/d...es.dll

windows10-2004-x64

1

language/e...es.dll

windows10-2004-x64

1

language/e...es.dll

windows10-2004-x64

1

language/e...es.dll

windows10-2004-x64

1

language/f...es.dll

windows10-2004-x64

1

language/h...es.dll

windows10-2004-x64

1

language/i...es.dll

windows10-2004-x64

1

language/p...Id.dll

windows10-2004-x64

1

language/p...as.dll

windows10-2004-x64

1

language/p...oc.dll

windows10-2004-x64

1

language/p...es.dll

windows10-2004-x64

1

language/p...e3.dll

windows10-2004-x64

3

language/r...es.dll

windows10-2004-x64

1

language/r...es.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    160s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2022, 10:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    366KB

  • MD5

    d46101844376994b61c19ea15912979d

  • SHA1

    ef31093a80c6c25ec5a4f2324453e0b8aecc6166

  • SHA256

    c6c4a2c8e5485d5021b74517948d39ffcff969405d8b26ebfa564a017dc61095

  • SHA512

    a80a826e99f70363646368f02994f35258f41c2be5a77dbf5aac155470e071a9c927fe857841160370f277d1c5acfc3db0e13b397f6f23902381fcd04b4785c3

  • SSDEEP

    6144:UmtFN9/Dzh8Wm6XtPCFbCbBBBB0y8ZvtoPEn+gIzqVJrBBBBBBBtchweBBoBBBB2:UmtFN9/DdkFbCbBBBB0ygymywBBBBBBU

Score
10/10
redline@nmrzv_8infostealerspyware

Malware Config

Extracted

Family

redline

Botnet

@nmrzv_8

C2

77.73.134.24:80

Attributes
  • auth_value

    1eec868816c2feca6b467734d7cb723e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:100300
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\Demeon.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\Demeon.exe
            5⤵
            • Creates scheduled task(s)
            PID:3800
  • C:\Users\Admin\AppData\Roaming\Demeon.exe
    C:\Users\Admin\AppData\Roaming\Demeon.exe
    1⤵
    • Executes dropped EXE
    PID:452

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          Filesize

          4.5MB

          MD5

          3862bfb4f1273249bd73a8cba326d9a1

          SHA1

          952fc20b5c6aefbbdffdd2f33035bf57f31322e2

          SHA256

          2cd9fea6d90b1971118a4b434ad7d51ec70e188824c755db0891adba40c458d8

          SHA512

          cf2f01e674684a6f869fc030c7ef51bd88155763de79423647879a319c249a8bfe85bdeccc0fc8e7b815021a0a3490aee126302438b35e3bddd41f3d4938180d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          Filesize

          4.5MB

          MD5

          3862bfb4f1273249bd73a8cba326d9a1

          SHA1

          952fc20b5c6aefbbdffdd2f33035bf57f31322e2

          SHA256

          2cd9fea6d90b1971118a4b434ad7d51ec70e188824c755db0891adba40c458d8

          SHA512

          cf2f01e674684a6f869fc030c7ef51bd88155763de79423647879a319c249a8bfe85bdeccc0fc8e7b815021a0a3490aee126302438b35e3bddd41f3d4938180d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Demeon.exe
          Filesize

          4.5MB

          MD5

          3862bfb4f1273249bd73a8cba326d9a1

          SHA1

          952fc20b5c6aefbbdffdd2f33035bf57f31322e2

          SHA256

          2cd9fea6d90b1971118a4b434ad7d51ec70e188824c755db0891adba40c458d8

          SHA512

          cf2f01e674684a6f869fc030c7ef51bd88155763de79423647879a319c249a8bfe85bdeccc0fc8e7b815021a0a3490aee126302438b35e3bddd41f3d4938180d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Demeon.exe
          Filesize

          4.5MB

          MD5

          3862bfb4f1273249bd73a8cba326d9a1

          SHA1

          952fc20b5c6aefbbdffdd2f33035bf57f31322e2

          SHA256

          2cd9fea6d90b1971118a4b434ad7d51ec70e188824c755db0891adba40c458d8

          SHA512

          cf2f01e674684a6f869fc030c7ef51bd88155763de79423647879a319c249a8bfe85bdeccc0fc8e7b815021a0a3490aee126302438b35e3bddd41f3d4938180d

          Download Submit

        • memory/5080-156-0x00007FFFDE500000-0x00007FFFDEFC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5080-155-0x00007FFFDE500000-0x00007FFFDEFC1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5080-153-0x0000017C26760000-0x0000017C26782000-memory.dmp

          Filesize

          136KB

          Download

        • memory/100300-141-0x0000000005620000-0x000000000565C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/100300-147-0x0000000009180000-0x0000000009342000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/100300-148-0x0000000009D90000-0x000000000A2BC000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/100300-146-0x0000000008540000-0x0000000008590000-memory.dmp

          Filesize

          320KB

          Download

        • memory/100300-145-0x00000000084C0000-0x0000000008536000-memory.dmp

          Filesize

          472KB

          Download

        • memory/100300-144-0x00000000083D0000-0x0000000008436000-memory.dmp

          Filesize

          408KB

          Download

        • memory/100300-143-0x0000000008330000-0x00000000083C2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/100300-142-0x0000000008800000-0x0000000008DA4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/100300-140-0x00000000055C0000-0x00000000055D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/100300-139-0x0000000005690000-0x000000000579A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/100300-138-0x0000000005B90000-0x00000000061A8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/100300-133-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download